Cisco Talos researchers Andrew Windsor and Chris Neal have seen a new activity called “highly modular” from .NET-based information stealer and keylogger Solarmarker.
Researchers explained that the Solar Marker campaign is being conducted by “quite sophisticated” actors, focusing their energy on the theft of personal and residual information.
Other clues, such as the keylogger’s target language component, indicate that cyberattackers are interested in European organizations or cannot afford to process text in languages other than Russian, German, and English.
“Anyway, they aren’t paying particular attention to which victims are infected with malware. During this recent surge in campaigns, Talos is most often in the healthcare, education, and municipal industries. I’ve observed it being targeted, “the report said. ..
“These sectors were followed by a small group of manufacturing organizations and several separate organizations in religious institutions, financial services and construction / engineering, as victims are concentrated in several industries. It looks, but we rate it with moderate confidence. This campaign is at least unintentional and not targeted to any particular industry. ”
Microsoft researchers believe that the Solarmarker campaign uses SEO poisoning to make dropper files stand out in search engine results: “Which type of organization is likely to encounter malicious files?” Is it time? “
Talos researchers found that the observed module was that the victim “stolen sensitive information as well as the use of individual employees’ browsers, such as when entering a credit card number or other personal information.” It warned the organization to be wary of malware because it indicates that it is vulnerable to it. It also includes things that are important to your organization’s security, especially credentials. “
Cisco states that the malware was previously used with “dm” but is now used in the “Mars” staging module. Researchers have also discovered another previously unreported module named “Uranus.”
“Talos is actively tracking malware campaigns with the Solarmarker information stealer dating back to September 2020. Some DNS telemetry and related activities date back to April 2020. At that time, with three major DLL components I found multiple DLL components. Variants that take advantage of similar behavior. “
Studies have shown that attackers typically inject stagers into victims’ hosts for command-and-control communications and even more malicious actions, and then a second component called “Jupyter” is injected by the stagers. Was observed.
A Cisco analyst examined a DLL module named “Jupyter” and found that it could steal personal information, credentials, and form submission values from the victim’s Firefox and Chrome installation and user directories.
The module uses an HTTP POST request to send information to the C2 server. Attackers attempt to decrypt or analyze raw data back and forth between the victim and the C2 server using a variety of means, including including the “CurrentUser” flag in the data protection scope argument of the “Unprotect” method call. I made it complicated.
“The Jupyter info stealer is the second module dropped in Solarmarker. During many runs of the Solarmarker sample, we observed C2 sending an additional PS1 payload to the victim’s host,” reports the report. Says.
“The response from C2 is encoded in the same way as a JSON object that contains the victim’s system information. After reversing the base64 and XOR encodings, write this byte stream to a PS1 file on disk and run it. Delete the file from. This new PowerShell script contains a base64-encoded .NET DLL, which was also inserted by loading the .NET reflective assembly. “
Analysts have noticed that the stager has the ability to steal browser formats and other information. Attackers also use a keylogger called “Uran” that was discovered in a previous campaign.
“Solarmarker’s staging component acts as a central execution hub, facilitating initial communication with the C2 server and allowing other malicious modules to be dropped on the victim’s host,” the report explains.
“In the observed data, the stager is deployed as a .NET assembly named” d “and a single execution class named” m “(referred to in this analysis as” dm “). .. Malware extracts a large number of files. At run time, change to the “AppData Local Temp” directory on the victim’s host. This includes a TMP file with the same name as the original download file and a PowerShell script file (PS1) that will generate the rest of the execution chain. “
The name of this attack is taken from the file write “AppData Roaming solarmarker.dat”. This file has been reported to act as a victim’s host identification tag.
As a result of the investigation, researchers have arrived at a “second unreported potential payload” named “Uranus”.[.]biz / get /uran.ps1. ”
Keylogger malware uses a variety of tools within the .NET runtime API to perform things like capture user keystrokes and associated metadata.
“For example, look for available input languages and keyboard layouts installed on the victim’s host and attach a two-letter ISO code as an additional attribute to the collected keylogger data. Interestingly, in this case, Actors especially check German and Russian characters According to the report, is set by default before using the English label.
“Extractions occur every 10,000 seconds using thread sleep calls and are configured to delay the Uranus event loop. This module is an HTTP POST request as the primary method of communication with Solarmarker’s C2 infrastructure. Also use. “
Researchers pointed out that the general execution flow of Solarmarker does not change much between variants. In most cases, attackers want to install backdoors, but Talos researchers say they began to notice a “surge in new solar marker activity” in telemetry around the end of May.
In the latest version, the download method for the first parent dropper has been tweaked and upgraded to a new staging component called “Mars”.
“During an investigation into previous campaign activity, Talos initially downloaded the malicious PE file of Solarmarker’s parents via a fake file-sharing page with a common appearance where victims are hosted throughout the free site service. Many of the dummy accounts became inactive between us, but we found the filename used by the Solarmarker dropper in telemetry and tried to find the download URL, “says Cisco’s study. Is writing.
“This delivery method was later corroborated by a third-party malware analyst in its own report on Solarmarker. For example, we saw several download pages hosted on suspicious accounts on Google Sites. These links are , Directs the victim to a page that provides the following features. Downloads the file as a PDF or Microsoft Word file. Following the download link, the victim is sent via multiple redirects across different domains, Go to the final download page. This general method hasn’t changed. Telemetry can be found on suspicious web pages hosted on Google Sites, but the actors are on the final lure page. I changed a little. “
The attacker has made significant improvements to make the final download page look more legitimate.
The latest version also includes the decoy program PDFSam. This “is done in conjunction with the rest of Solarmarker’s initialization and acts as the victim’s misdirection by trying to make it look like a legitimate document.”
There is some evidence in reports that Russian-speaking people created solar markers, but researchers said there was not enough evidence to assign high credibility to attribution.
This report suggests that organizations educate users about the dangers of dangerous file downloads and many other means designed to limit or block the execution of many Solarmarker scripts.
“The actors behind Solarmarker look forward to continuing to improve their malware and tools to replace their C2 infrastructure in order to extend their foreseeable future campaigns,” the report added.
Cisco researchers spotlight Solarmarker malware
Source link Cisco researchers spotlight Solarmarker malware