Healthcare and training sectors are the frequent targets of a brand new surge in credential harvesting exercise from what’s a “extremely modular” .NET-based data stealer and keylogger, charting the course for the risk actor’s continued evolution whereas concurrently remaining below the radar.
Dubbed “,” the malware marketing campaign is believed to be lively since September 2020, with telemetry knowledge pointing to malicious actions as early as April 2020, in keeping with Cisco Talos. “At its core, the Solarmarker marketing campaign seems to be performed by a reasonably refined actor largely targeted on credential and residual data theft,” Talos researchers Andrew Windsor and Chris Neal in a technical write-up revealed final week.
Infections include a number of transferring elements, chief amongst them being a .NET meeting module that serves as a system profiler and staging floor on the sufferer host for command-and-control (C2) communications and additional malicious actions, together with the deployment of information-stealing elements like Jupyter and Uran (possible a reference to Uranus).
Whereas the previous boasts of capabilities to steal private knowledge, credentials, and kind submission values from the sufferer’s Firefox and Google Chrome browsers, the latter — a beforehand unreported payload — acts as a keylogger to seize the person’s keystrokes.
The renewed exercise has additionally been accompanied by a shift in ways and a number of iterations to the an infection chain, even because the risk actor latched on to the age-old trick of search engine optimization poisoning, which refers back to the abuse of search engine marketing (search engine optimization) to achieve extra eyeballs and traction to malicious websites or make their dropper recordsdata extremely seen in search engine outcomes.
“Operators of the malware often called SolarMarker, Jupyter, [and] different names are aiming to search out new success utilizing an outdated approach: search engine optimization poisoning,” the Microsoft Safety Intelligence workforcein June. “They use hundreds of PDF paperwork stuffed w/ search engine optimization key phrases and hyperlinks that begin a sequence of redirections finally resulting in the malware.
Talos’ static and dynamic evaluation of Solarmarker’s artifacts factors to a Russian-speaking adversary, though the risk intelligence group suspects the malware creators may have deliberately designed them in such a fashion in an try to mislead attribution.
“The actor behind the Solarmarker marketing campaign possesses reasonable to superior capabilities,” the researchers concluded. “Sustaining the quantity of interconnected and rotating infrastructure and producing a seemingly limitless quantity of in another way named preliminary dropper recordsdata requires substantial effort.”
“The actor additionally displays willpower in guaranteeing the continuation of their marketing campaign, akin to updating the encryption strategies for the C2 communication within the Mars DLL after researchers had publicly picked aside earlier elements of the malware, along with the extra typical technique of biking out the C2 infrastructure hosts.”.