What does avast explorer context handler do
- #What does avast explorer context handler do Patch
- #What does avast explorer context handler do code
#What does avast explorer context handler do code
The attackers added a try/catch block to the beginning of this method’s source code to parse part of the HTTP request and redirect control flow to the attacker’s DynamicRun() method.Īnd the weaponized ProcessRequest() with added try/catch block: The added DynamicRun() method is called by the ProcessRequest() method, which handles HTTP requests. The attackers injected an additional method, DynamicRun(), into the legitimate SolarWinds’ LogoImageHandler class from the App_Web_, turning the benign DLL into a sophisticated webshell.Ī legitimate instance of App_Web_:Ī weaponized instance of App_Web_: Below, we illustrate some of the key differences between the legitimate SolarWinds DLL and the weaponized ‘SUPERNOVA’ DLL. Modifying the legitimate SolarWindows DLL for malicious use required just a few key changes, and upon analysis appears deceptively ‘elegant’. The purpose of the original DLL is to serve up a user-configured logo to web pages in the Orion web application.
NET library in the SolarWinds Orion web application. The SUPERNOVA web shell implant is a trojanized copy of a legitimate DLL.
The Trojanized App_Web_logoimagehandler DLL SUPERNOVA refers to a web shell implant used to distribute and execute additional code on exposed hosts.īelow, we focus on understanding and detecting the SUPERNOVA web shell implant.COSMICGALE refers to certain malicious PowerShell scripts that are executed on compromised hosts.TEARDROP is a memory-resident implant used (primarily) to distribute the Cobalt Strike beacon payload.
#What does avast explorer context handler do Patch
This backdoor was distributed as part of a trojanized MSI (Windows installer) patch and distributed via SolarWinds updating mechanisms. The sophisticated nature of the SolarWinds compromise has resulted in a flurry of new malware families, each with different characteristics and behaviors. Overview of SolarWinds’ Malware Components Further, we disclose some new Indicators of Compromise that may, in addition to previously documented IoCs, help security teams to detect when the malicious webshell is active. In this post, we provide an analysis of the SUPERNOVA trojan, describing how the weaponized DLL payload differs from the legitimate version it supplanted.