Healthcare and schooling sectors are the frequent targets of a brand new surge in credential harvesting exercise from what’s a “extremely modular” .NET-based info stealer and keylogger, charting the course for the risk actor’s continued evolution whereas concurrently remaining beneath the radar.
Dubbed “Solarmarker,” the malware marketing campaign is believed to be lively since September 2020, with telemetry knowledge pointing to malicious actions as early as April 2020, in response to Cisco Talos. “At its core, the Solarmarker marketing campaign seems to be carried out by a reasonably subtle actor largely targeted on credential and residual info theft,” Talos researchers Andrew Windsor and Chris Neal said in a technical write-up revealed final week.
Infections include a number of shifting elements, chief amongst them being a .NET meeting module that serves as a system profiler and staging floor on the sufferer host for command-and-control (C2) communications and additional malicious actions, together with the deployment of information-stealing parts like Jupyter and Uran (doubtless a reference to Uranus).
Whereas the previous boasts of capabilities to steal private knowledge, credentials, and type submission values from the sufferer’s Firefox and Google Chrome browsers, the latter — a beforehand unreported payload — acts as a keylogger to seize the consumer’s keystrokes.
The renewed exercise has additionally been accompanied by a shift in ways and a number of iterations to the an infection chain, even because the risk actor latched on to the age-old trick of search engine marketing poisoning, which refers back to the abuse of SEO (search engine marketing) to realize extra eyeballs and traction to malicious websites or make their dropper information extremely seen in search engine outcomes.
“Operators of the malware often known as SolarMarker, Jupyter, [and] different names are aiming to seek out new success utilizing an outdated method: search engine marketing poisoning,” the Microsoft Safety Intelligence crew disclosed in June. “They use 1000’s of PDF paperwork stuffed w/ search engine marketing key phrases and hyperlinks that begin a sequence of redirections finally resulting in the malware.
Talos’ static and dynamic evaluation of Solarmarker’s artifacts factors to a Russian-speaking adversary, though the risk intelligence group suspects the malware creators may have deliberately designed them in such a way in an try and mislead attribution.
“The actor behind the Solarmarker marketing campaign possesses reasonable to superior capabilities,” the researchers concluded. “Sustaining the quantity of interconnected and rotating infrastructure and producing a seemingly limitless quantity of in another way named preliminary dropper information requires substantial effort.”
“The actor additionally reveals dedication in guaranteeing the continuation of their marketing campaign, equivalent to updating the encryption strategies for the C2 communication within the Mars DLL after researchers had publicly picked aside earlier parts of the malware, along with the extra typical technique of biking out the C2 infrastructure hosts.”.