Researchers have provided detailed information about an advanced version of the SolarMarker malware. It has now added improvements, along with updated defense evasion techniques to stay undetected.
What has happened?
Researchers from Palo Alto Networks Unit 42 published a detailed technical report regarding a recent campaign.
- SolarMarker operators were observed using stealthy Windows Registry tricks to gain long-lasting persistence on the compromised systems.
- Further, they used signed files, obfuscated PowerShell scripts, large files, and impersonation of legitimate software installers to stay undetected.
The infection chain
The infection chain had used the 250MB .exe file for PDF readers and utilities hosted on fake websites packed with keywords and SEO poisoning tactics to improve their ranking in search results.
- The large file size of the .exe allows the initial stage dropper to bypass automated analysis by antivirus engines. It further downloads and installs a legitimate program to avoid any suspicion.
- In parallel to its execution, the malware executes a PowerShell installer to deploy and execute additional components of SolarMarker.
- The campaign had used two specific components of SolarMarker, a backdoor and an infostealer to perform different operations.
The backdoor and infostealer
- The SolarMarker backdoor is equipped with capabilities to carry out internal reconnaissance, collect system metadata, and upload it to the remote server over an encrypted channel.
- In addition to this, the backdoor implant deploys SolarMarker's information-stealing module on the victim machine. The stealer can pilfer autofill data, passwords, cookies, and credit card details from web browsers.
Conclusion
The attackers behind the SolarMarker campaign have put a lot of effort into staying under the radar. Thus, organizations are suggested to stay up-to-date with the latest developments in threat tactics and techniques. This can allow for the implementation of better countermeasures against such threats.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/c30d_shutterstock_2141796339.jpeg)
/https://cyware-ent.s3.amazonaws.com/image_bank/91ea_shutterstock_610964159_scam.jpg)
