3rd August 2021, Kathmandu
Healthcare and inculcation sectors are the frequent targets of an incipient surge in credential harvesting activity from what’s a “highly modular.” NET-predicated information purloiner and keylogger, charting the course for the threat actor’s perpetuated evolution while simultaneously remaining under the radar.
Dubbed “Solarmarker,” the malware campaign is believed to be active since September 2020, with telemetry data pointing to malignant actions as early as April 2020, according to Cisco Talos. “At its core, the Solarmarker campaign appears to be conducted by a fairly sophisticated actor largely fixated on credential and residual information larceny,” Talos researchers Andrew Windsor and Chris Neal verbalized in a technical inscribe-up published last week.
Infections consist of multiple moving components, chief among them being a .NET assembly module that accommodates as a system profiler and staging ground on the victim host for command-and-control (C2) communications and further malignant actions, including the deployment of information-purloining components like Jupyter and Uran (likely a reference to Uranus).
While the former boasts of capabilities to glom personal data, credentials, and form submission values from the victim’s Firefox and Google Chrome browsers, the latter — an aforetime unreported payload — acts as a keylogger to capture the utilizer’s keystrokes.
The renewed activity has additionally been accompanied by a shift in tactics and multiple iterations to the infection chain, even as the threat actor latched on to the age-old trick of SEO poisoning, which refers to the abuse of search engine optimization (SEO) to gain more ocular balls and traction to malevolent sites or make their dropper files highly visible in search engine results.
“Operators of the malware kenned as SolarMarker, Jupyter, [and] other designations are aiming to find incipient prosperity utilizing an old technique: SEO poisoning,” the Microsoft Security Astuteness team disclosed in June. “They utilize thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections ineluctably leading to the malware.
Talos’ static and dynamic analysis of Solarmarker’s artifacts points to a Russian-verbalizing adversary, albeit the threat astuteness group suspects the malware engenderers could have intentionally designed them in such a manner in an endeavor to illude attribution.
“The actor abaft the Solarmarker campaign possesses moderate to advanced capabilities,” the researchers concluded. “Maintaining the amplitude of interconnected and rotating infrastructure and engendering a ostensibly illimitable magnitude of differently designated initial dropper files requires substantial effort.”
“The actor withal exhibits tenacity in ascertaining the continuation of their campaign, such as updating the encryption methods for the C2 communication in the Mars DLL after researchers had publicly picked apart antecedent components of the malware, in integration to the more typical strategy of cycling out the C2 infrastructure hosts.”