Cisco researchers spotlight Solarmarker malware

A new report said the Solarmarker campaign is being conducted by "fairly sophisticated" actors focusing their energy on credential and residual information theft.

Andrew Windsor and Chris Neal, researchers with Cisco Talos, have seen new activity from Solarmarker, a .NET-based information stealer and keylogger that they called "highly modular."

The researchers explained in a blog post that the Solarmarker campaign is being conducted by "fairly sophisticated" actors focusing their energy on credential and residual information theft. 

Like the targeted language component of the keylogger, other clues indicate that the cyber-attacker has an interest in European organizations or cannot afford to process text in any languages other than Russian, German and English. 

"Regardless, they are not particular or overly careful as to which victims are infected with their malware. During this recent surge in the campaign, Talos observed the health care, education, and municipal governments verticals being targeted the most often," the report said. 

"These sectors were followed by a smaller grouping of manufacturing organizations, along with a few individual organizations in religious institutions, financial services and construction/engineering. Despite what appears to be a concentration of victimology among a few verticals, we assess with moderate confidence that this campaign is not targeting any specific industries, at least not intentionally." 

The report added that Microsoft researchers believe the Solarmarker campaign is using SEO poisoning in order to make their dropper files highly visible in search engine results, potentially skewing "what types of organizations are likely to come across the malicious files depending on what is topically popular at the time."

Talos researchers warned organizations to look out for the malware because the modules observed show that victims are vulnerable to "having sensitive information stolen, not only from their individual employees' browser usage, such as if they enter their credit card number or other personal information, but also those critical to the security of the organization, particularly credentials."

Cisco noted that the malware was previously used alongside "d.m," but is now being used with the "Mars" staging module. Researchers also discovered another module, previously unreported, that they named "Uranus."

"Talos is actively tracking a malware campaign with the Solarmarker information-stealer dating back to September 2020, the report said. "Some DNS telemetry and related activity even point back to April 2020. At the time, we discovered three primary DLL components and multiple variants utilizing similar behavior."

According to the study, the attackers typically inject a stager on the victim host for command and control communications and further malicious actions before a second component called "Jupyter" was observed being injected by the stager.

When Cisco analysts examined the DLL module, named "Jupyter," they found that it is able to steal personal information, credentials, and form submission values from the victim's Firefox and Chrome installation and user directories.

The module uses HTTP POST requests to send information to its C2 server. The attackers used a variety of measures -- like including the "CurrentUser" flag for the data protection scope argument in the "Unprotect" method call -- to complicate attempts to decrypt or analyze the raw data going between the victim and the C2 server.

"The Jupyter information stealer is Solarmarker's second most-dropped module. During the execution of many of the Solarmarker samples, we observed the C2 sending an additional PS1 payload to the victim host," the report said. 

"Responses from the C2 are encoded in the same manner as the JSON object containing the victim's system information. After reversing the base64 and XOR encoding, it writes this byte stream to a PS1 file on disk, runs it, and subsequently deletes the file. This new PowerShell script contains a base64-encoded .NET DLL, which was also injected through .NET's reflective assembly loading."

The analysts observed that the stager has browser form and other information-stealing capabilities. The attackers also use a keylogger called "Uran", which was discovered in older campaigns.

"The staging component of Solarmarker serves as the central execution hub, facilitating initial communications with the C2 servers and enabling other malicious modules to be dropped onto the victim host," the report explained. 

"Within our observed data, the stager is deployed as a .NET assembly named 'd' and a single executing class named 'm' (referred to jointly in this analysis as 'd.m'). The malware extracts a number of files to the victim host's 'AppData\Local\Temp' directory on execution, including a TMP file with the same name as the original downloaded file and a PowerShell script file (PS1), from which the rest of the execution chain spawns."

The attack gets its name from the file write of "AppData\Roaming\solarmarker.dat," which the report said serves as a victim host identification tag. 

The investigation led researchers to a "previously unreported second potential payload," named "Uranus," which they say is derived from the file "Uran.PS1" that is hosted on Solarmarker's infrastructure at "on-offtrack[.]biz/get/uran.ps1." 

The keylogger malware uses a variety of tools within the .NET runtime API to do things like capture the user's keystrokes and relevant metadata.

"For example, it will look for available input languages, and keyboard layouts installed on the victim host and attach their two-letter ISO codes as additional attributes to the keylogging data collected. Interestingly, in this case, the actor checks specifically for German and Russian character sets before defaulting to an English label, the report said.

"Extraction is set to occur every 10 000 seconds using a thread sleep call to delay Uranus' event loop. This module also uses HTTP POST requests as its primary method of communications with Solarmarker's C2 infrastructure."

The researchers noted that the general execution flow of Solarmarker had not changed much between variants. In most cases, attackers want to install a backdoor, but Talos researchers said that they began noticing "surges of new Solarmarker activity" in their telemetry around the end of May.

The latest version features a tweaked download method of the initial parent dropper as well as upgrades to a new staging component called "Mars."

 "During our research on earlier campaign activity, Talos initially believed that victims were downloading Solarmarker's parent malicious PE files through generic-looking, fake file-sharing pages hosted across free site services, but many of the dummy accounts had become inactive between the time we found the filenames used by Solarmarker's droppers in our telemetry and attempting to find their download URLs," Cisco researchers wrote.

"This method of delivery was later corroborated by third-party malware analysts in their own reporting on Solarmarker. For example, we saw several download pages being hosted under suspicious accounts on Google Sites. These links direct the victim to a page offering the ability to download the file as either a PDF or Microsoft Word file. Following the download link sends the victim through multiple redirects across varying domains before landing on a final download page. This general methodology hasn't changed; many of the parent file names found in our telemetry can be found on suspicious web pages hosted on Google Sites, although the actor has changed their final lure pages a bit."

The attackers made significant improvements to the final download page in an effort to make it look more legitimate.

The latest version also includes a decoy program, PDFSam, which is "executed in tandem with the rest of Solarmarker's initialization to act as misdirection for the victim by attempting to look like a legitimate document."

While there is some evidence in the report that Russian speakers created Solarmarker, the researchers said there is not enough evidence to assign high confidence to the attribution. 

The report suggests organizations educate users on the perils of downloading risky files as well as a host of other measures designed to limit or block Solarmarker's numerous scripts from executing.

"We expect the actor behind Solarmarker to continue to refine their malware and tools, as well as alternate their C2 infrastructure, in order to prolong their campaign for the foreseeable future," the report added.