Researchers at Cisco Talos have spotted new activity from Solarmarker, a highly modular .NET-based information stealer and key-logger. Specifically, they have reported two new findings with the malware. The first is an upgrade in the staging module. Second, they have discovered a previously unreported key-logging module. Their report cautions organizations to be on guard against “the modular nature and information stealing capabilities” of Solarmarker.
Cisco Talos has been engaged in the active tracking of Solarmarker’s malware campaign since September 2020. According to their researchers, the campaign is conducted by a highly sophisticated actor and is focused on stealing credentials and residual information.
What is the Solarmarker Malware and How Does it Work?
Solarmarker is a two-stage backdoor malware that steals browser information and credentials. In the first stage, the attackers behind the malware use search engine optimization (SEO) poisoning to ramp up visibility on search engines. This leads potential victims to a malicious site that poses as a legitimate one. The second stage occurs when the victim downloads the file in which the malware is embedded.
Who Does it Target?
The attackers seem to have a specific interest in credential harvesting. The Jupyter module collects browser forum captures, cookie data, and credential database files. The Uranus module provides a key-logging component.
Analysis of the key-logging component reveals that the actor seems to have heightened geographical interest in Europe, or perhaps lacks the ability to process text in languages apart from English, Russian, or German. This is because the class object responsible for monitoring keypresses only checks if the host’s language code is one of the three languages.
Researchers at Cisco Talos believe that the attackers are not concerned about which victims are infected. The report notes that health care, education, and municipal government verticals are targeted most often. Despite this concentration of victimology, the researchers do not believe that the campaign targets any specific sector.
Organizations to Exercise Caution
The report states that the actor behind the malware has shown a “willingness and ability to update their tactics, techniques, and procedures (TTPs).” The initial execution of Solarmarker relies on the user downloading and opening the parent file. Therefore, the report recommends that organizations inform their users of the perils of interacting with files from “unvetted or suspicious sources on the internet.”
It is crucial to protect yourself and your systems from malicious actors online. Solarmarker is a sophisticated malware that is typically found on suspicious pages on Google sites. It is important to stay alert and carefully examine domain names, only choosing reputable sites.