![]() The latest version features a tweaked download method of the initial parent dropper as well as upgrades to a new staging component called "Mars." In most cases, attackers want to install a backdoor, but Talos researchers said that they began noticing "surges of new Solarmarker activity" in their telemetry around the end of May. The researchers noted that the general execution flow of Solarmarker had not changed much between variants. This module also uses HTTP POST requests as its primary method of communications with Solarmarker's C2 infrastructure." "Extraction is set to occur every 10 000 seconds using a thread sleep call to delay Uranus' event loop. Interestingly, in this case, the actor checks specifically for German and Russian character sets before defaulting to an English label, the report said. "For example, it will look for available input languages, and keyboard layouts installed on the victim host and attach their two-letter ISO codes as additional attributes to the keylogging data collected. "The staging component of Solarmarker serves as the central execution hub, facilitating initial communications with the C2 servers and enabling other malicious modules to be dropped onto the victim host," the report explained. The attackers also use a keylogger called "Uran", which was discovered in older campaigns. The analysts observed that the stager has browser form and other information-stealing capabilities. NET DLL, which was also injected through. This new PowerShell script contains a base64-encoded. After reversing the base64 and XOR encoding, it writes this byte stream to a PS1 file on disk, runs it, and subsequently deletes the file. "Responses from the C2 are encoded in the same manner as the JSON object containing the victim's system information. During the execution of many of the Solarmarker samples, we observed the C2 sending an additional PS1 payload to the victim host," the report said. "The Jupyter information stealer is Solarmarker's second most-dropped module. The attackers used a variety of measures - like including the "CurrentUser" flag for the data protection scope argument in the "Unprotect" method call - to complicate attempts to decrypt or analyze the raw data going between the victim and the C2 server. The module uses HTTP POST requests to send information to its C2 server. When Cisco analysts examined the DLL module, named "Jupyter," they found that it is able to steal personal information, credentials, and form submission values from the victim's Firefox and Chrome installation and user directories. At the time, we discovered three primary DLL components and multiple variants utilizing similar behavior."Īccording to the study, the attackers typically inject a stager on the victim host for command and control communications and further malicious actions before a second component called "Jupyter" was observed being injected by the stager. "Some DNS telemetry and related activity even point back to April 2020. ![]() "Talos is actively tracking a malware campaign with the Solarmarker information-stealer dating back to September 2020, the report said. Researchers also discovered another module, previously unreported, that they named "Uranus." Talos researchers warned organizations to look out for the malware because the modules observed show that victims are vulnerable to "having sensitive information stolen, not only from their individual employees' browser usage, such as if they enter their credit card number or other personal information, but also those critical to the security of the organization, particularly credentials."Ĭisco noted that the malware was previously used alongside "d.m," but is now being used with the "Mars" staging module. The report added that Microsoft researchers believe the Solarmarker campaign is using SEO poisoning in order to make their dropper files highly visible in search engine results, potentially skewing "what types of organizations are likely to come across the malicious files depending on what is topically popular at the time." Despite what appears to be a concentration of victimology among a few verticals, we assess with moderate confidence that this campaign is not targeting any specific industries, at least not intentionally." "These sectors were followed by a smaller grouping of manufacturing organizations, along with a few individual organizations in religious institutions, financial services and construction/engineering.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |