Last December, many cybersecurity companies were investigating a massive supply chain attack that affected SolarWinds and its customers. Even then, experts’ reports mentioned not only the SUNBURST payload (aka Solorigate), which downloaded the Teardrop backdoor Trojan, but also the fact that attackers sometimes injected a web shell called Supernova into infected .NET networks.
At first, researchers believed the hackers were using Supernova to download, compile, and execute a malicious Powershell script (dubbed CosmicGale). However, Microsoft analysts soon reported that Supernova was part of another attack, and it was not at all related to the sensational attack on the supply chain. It turned out that the Supernova web shell was injected into poorly protected SolarWinds Orion installations vulnerable to the problem CVE-2019-8917.
A report from Microsoft reported that unlike the Sunburst DLL, the Supernova DLL was not signed with a legitimate SolarWinds certificate. Because of this, the experts concluded that this malware had nothing to do with the original attack on the supply chain and generally belonged to a different hack group.
Now Microsoft’s findings have been confirmed by Secureworks. This week the company released the report, according to which, Supernova is associated with last year’s attacks on the Zoho ManageEngine servers (moreover, information about this 0-day bug was simply published on Twitter).
Secureworks is tracking the attackers who attacked Zoho ManageEngine, codenamed Spiral, and believes the hack group is based in China. So, during the August incident, hackers accidentally revealed one of their IP addresses, which turned out to be associated with the Celestial Empire.
As the researchers now write, the behavior of the Supernova malware is similar to the activity of the group in August last year, directed against the products of Zoho. It looks like Spiral could be responsible for both of these attacks, meaning Microsoft’s analysts were right.