Healthcare and education sectors are the frequent targets of a new surge in credential harvesting activity from what’s a “highly modular” .NET-based information stealer and keylogger, charting the course for the threat actor’s continued evolution while simultaneously remaining under the radar.
Dubbed “Solarmarker,” the malware campaign is believed to be active since September 2020, with telemetry data pointing to malicious actions as early as April 2020, according to Cisco Talos. “At its core, the Solarmarker campaign appears to be conducted by a fairly sophisticated actor largely focused on credential and residual information theft,” Talos researchers Andrew Windsor and Chris Neal said in a technical write-up published last week.
Infections consist of multiple moving parts, chief among them being a .NET assembly module that serves as a system profiler and staging ground on the victim host for command-and-control (C2) communications and further malicious actions, including the deployment of information-stealing components like Jupyter and Uran (likely a reference to Uranus).
While the former boasts of capabilities to steal personal data, credentials, and form submission values from the victim’s Firefox and Google Chrome browsers, the latter — a previously unreported payload — acts as a keylogger to capture the user’s keystrokes.
The renewed activity has also been accompanied by a shift in tactics and multiple iterations to the infection chain, even as the threat actor latched on to the age-old trick of SEO poisoning, which refers to the abuse of search engine optimization (SEO) to gain more eyeballs and traction to malicious sites or make their dropper files highly visible in search engine results.
“Operators of the malware known as SolarMarker, Jupyter, [and] other names are aiming to find new success using an old technique: SEO poisoning,” the Microsoft Security Intelligence team disclosed in June. “They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware.
Talos’ static and dynamic analysis of Solarmarker’s artifacts points to a Russian-speaking adversary, although the threat intelligence group suspects the malware creators could have intentionally designed them in such a manner in an attempt to mislead attribution.
“The actor behind the Solarmarker campaign possesses moderate to advanced capabilities,” the researchers concluded. “Maintaining the amount of interconnected and rotating infrastructure and generating a seemingly limitless amount of differently named initial dropper files requires substantial effort.”
“The actor also exhibits determination in ensuring the continuation of their campaign, such as updating the encryption methods for the C2 communication in the Mars DLL after researchers had publicly picked apart previous components of the malware, in addition to the more typical strategy of cycling out the C2 infrastructure hosts.”.