Researchers from Cisco Talos have reported new details about Solarmarker, which they described as a highly modular information stealer dating back to April 2020. The researchers noted that the campaign is carried out by sophisticated actors who are focused on credential theft and residual information theft.
“Talos is actively tracking a malware campaign with the Solarmarker information-stealer dating back to September 2020,” researchers Andrew Windsor and Chris Neal said in the report. “Some DNS telemetry and related activity even point back to April 2020. At the time, we discovered three primary DLL components and multiple variants utilizing similar behavior.”
Other clues, like the targeted language component of the Keylogger supporting only Russian, German, and English, indicate that the attacker is interested in European organizations or has no capability to process text in other languages.
Attackers are not overly concerned about which organizations are most likely to get targeted, according to a report by Cisco Talos.
“We assess with moderate confidence that this campaign is not targeting any specific industries, at least not intentionally.”
During the recent spike in their activities, researchers observed mostly such verticals as the health care, education, and municipal governments most often, followed by manufacturing organizations and religious institutions, the report said.
According to Microsoft researchers, the Solarmarker campaign is using search engine optimization (SEO) to make their dropper files more visible in search engine results, further limiting the control over the types of organizations that come across their malicious files.
Talos researchers said organizations are vulnerable to “having sensitive information stolen, not only from their individual employees’ browsers, such as their credit card number or other personal information but also those critical to the organization’s security, particularly credentials.”
Cisco has noted that attackers now use a new module, Uranus, in addition to the Mars staging module. The company said they previously used “d.m.”
Cisco revealed that attackers usually inject a stager on a victim’s host for C2 communications with the system. They then proceed with other actions and inject a second component researchers called Jupyter that has information-stealing capabilities. Then researchers uncovered a “previously unreported second potential payload,” named “Uranus,” which seems to be derived from the file “Uran.PS1” hosted on Solarmarker’s infrastructure at “on-offtrack[.]biz/get/uran.ps1.”
Researchers observed a few variants of the malware. The latest version features a few changes to the download method and a new staging component called Mars.
The attackers also made changes to the final download page in order to make it look more legitimate. The latest version of Solarmarker also includes a decoy program called PDFSam, its goal is misdirection and to trick victims into thinking that a legitimate document is being delivered.
The researchers concluded that there is not enough evidence to believe that Solarmarker was created by Russian hackers.