As reported by Cisco Talos, a new malware called “Solarmarker” has been campaigning since September of 2020; however, around April 2020, there have been reports of its telemetry data pointing up to some malicious actions. From a published technical review of Talos researchers Chris Neal and Andrew Windsor, the core campaign of the Solarmarker malware is seemed to be directed and operated by ingenious threat actors wherein it is fixated towards residual information and credentials theft.
Information theft and keylogging activities are coming from what has been described as highly modular. The Net-based system has been recurrently targeting healthcare and education segments to harvest sensitive and highly confidential credentials. All these while the attackers remain hidden from the eyes of cybersecurity and simultaneously charting the evolution of cyberattacks.
The process of this malware includes infections comprised of several shifting parts being led by a .NET assembly module that performs as a staging ground and system profiler towards the victim host to be able to conduct added malicious actions and is helpful for the command-and-control or C2 communications. More to this, it also includes the positioning of Jupyter and Uran (or a clever reference to planets Jupiter and Uranus) – both being information-stealing mechanisms.
The Jupyter info stealer primarily targets stealing its victim’s credentials, private data, or form submitted values from their Google Chrome, Firefox, and Chromium browsers information. Whereas the Uran info stealer is known to be a keylogger wherein it steals the keystrokes of its target victim.
These restored tricks of info stealers also share many additional tactics to prove viability, including repetitions and strategies shifting throughout the infection chain. Furthermore, they even considered coming back to applying outmoded tricks such as search engine optimization or SEO poisoning. SEO poisoning means overusing and exploiting SEO systems to attain higher reach and adhesion to many malicious websites. They also tend to have its dropper files to be very exposed when it appears to the result pages of search engines.
In June, the Microsoft Security Intelligence team revealed that SEO poisoning, even though typically an age-old trick, has been very well used and maximized by malware and info stealer operators such as the SolarMarker, Uran Jupyter, and more. They have also mentioned that these operators or threat actors lure their victims towards the malware sites by overusing thousands of documents in a PDF format saturated by SEO keywords, which creates a chain of multiple dangerous web redirections.
With artifacts from Solarmarker, the threat intelligence Cisco Talos’ static and dynamic investigation has suspected and pointed towards a Russian-speaking possible attacker.
However, it is also possible that the suspects or the threat actors have purposely engineered it to that kind of form to mislead attribution and avoid being captured. The researchers have eventually concluded that there is an evident modest to professional skills possessed by the Solarmarker actors since they know for a fact that to be able to maintain the connections of unified and moving infrastructure, and also to generate an immeasurable number of various names of dropper files, one must possess and execute extensive skill and effort.
Aside from the actor’s effort and skill, Cisco Talos also stated that the actor has to be determined to ensure the success and maintenance of this campaign. This is because many processes have to be well-monitored and operated, such as when researchers have publicly destroyed old compositions of the malware, they have to update and reform the encryption for the command-and-control or C2 communications inside the Mars DLL.