The SUPERNOVA webshell is an anonymous code C# webshell written in .NET C# that is specifically written for usage on SolarWinds Orion servers. It is deployed as a DLL module that masquerades as a SolarWinds web service that returns the current logo image for display by the SolarWinds Orion application.
In normal operation, this webshell performs the operation of returning the appropriate logo image as requested by other elements of the Orion application, requiring a specific set of parameters to be present in the HTTP GET Request for any of the malicious code to execute. This allows the webshell to remain undetected until such time as the attackers decide to utilize it.
Due to the emerging nature of this malware, this article will be updated as new information becomes available.