Healthcare and training sectors are the frequent targets of a brand new surge in credential harvesting exercise from what’s a “extremely modular” .NET-based data stealer and keylogger, charting the course for the risk actor’s continued evolution whereas concurrently remaining beneath the radar.
Dubbed “Solarmarker,” the malware marketing campaign is believed to be lively since September 2020, with telemetry knowledge pointing to malicious actions as early as April 2020, in keeping with Cisco Talos. “At its core, the Solarmarker marketing campaign seems to be carried out by a reasonably refined actor largely centered on credential and residual data theft,” Talos researchers Andrew Windsor and Chris Neal mentioned in a technical write-up printed final week.
Infections include a number of shifting components, chief amongst them being a .NET meeting module that serves as a system profiler and staging floor on the sufferer host for command-and-control (C2) communications and additional malicious actions, together with the deployment of information-stealing parts like Jupyter and Uran (possible a reference to Uranus).
While the former boasts of capabilities to steal private knowledge, credentials, and type submission values from the sufferer’s Firefox and Google Chrome browsers, the latter — a beforehand unreported payload — acts as a keylogger to seize the person’s keystrokes.
The renewed exercise has additionally been accompanied by a shift in ways and a number of iterations to the an infection chain, at the same time as the risk actor latched on to the age-old trick of website positioning poisoning, which refers to the abuse of search engine marketing (website positioning) to achieve extra eyeballs and traction to malicious websites or make their dropper recordsdata extremely seen in search engine outcomes.
“Operators of the malware often called SolarMarker, Jupyter, [and] different names are aiming to search out new success utilizing an previous approach: website positioning poisoning,” the Microsoft Security Intelligence crew disclosed in June. “They use 1000’s of PDF paperwork stuffed w/ website positioning key phrases and hyperlinks that begin a series of redirections finally resulting in the malware.
Talos’ static and dynamic evaluation of Solarmarker’s artifacts factors to a Russian-speaking adversary, though the risk intelligence group suspects the malware creators might have deliberately designed them in such a fashion in an try and mislead attribution.
“The actor behind the Solarmarker marketing campaign possesses average to superior capabilities,” the researchers concluded. “Maintaining the quantity of interconnected and rotating infrastructure and producing a seemingly limitless quantity of in a different way named preliminary dropper recordsdata requires substantial effort.”
“The actor additionally reveals willpower in making certain the continuation of their marketing campaign, akin to updating the encryption strategies for the C2 communication in the Mars DLL after researchers had publicly picked aside earlier parts of the malware, along with the extra typical technique of biking out the C2 infrastructure hosts.”.