Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Defend brute force attacks, active intrusions and unauthorized scans.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT Beginning in early September 2024, eSentire observed an increase in the number of incidents involving Lumma Stealer malware; this activity has remained common leading into…
Oct 02, 2024THE THREATA recently disclosed vulnerability impacting Zimbra mail servers is being actively exploited by attacker(s). On September 27th, Zimbra publicly disclosed CVE-2024-45519, a…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Since first emerging in 2020, SolarMarker (aka: Jupyter, Polazert, Yellow Cockatoo) remains one of the most successful malware campaigns, relying heavily on social engineering through search engine optimization (SEO). SolarMarker has significantly developed its capabilities since it first appeared in the wild – from C2 communication that is challenging to decrypt, to obfuscation that slows down malware analysis.
SolarMarker has two major capabilities, it installs a backdoor or an infostealer as soon as the victim runs the payload. Both SolarMarker’s modules can damage organizations as the backdoor can be leveraged by attacker(s) to deploy additional malware or steal sensitive information.
This malware continues to remain active in the wild and researchers from Morphisec believe that it is the work of Russian-speaking actor(s). The first admin panel was found hosted on a Russian server Joint Stock company (JSC) "ER-Telecom Holding". The background image of Jupiter from the admin panel that the researchers reversed originating from forums containing Cyrillic.
eSentire has observed a significant increase in SolarMarker infections delivered via drive-by downloads.
The initial infection occurs with the user visiting a malicious website that is stuffed with keywords to deceive search engines to get a higher search ranking (Exhibit 1).
At the time of this analysis, eSentire’s TRU team has observed that the malicious payload is delivered via two methods:
The example of the payload distribution via Google Groups Pages is shown in Exhibit 2.
We observed that the attacker(s) did a bulk upload of the payloads (501 files) on August 8, 2021 (Exhibit 3).
Below is an example of a compromised WordPress website hosting the payload, the third page contains the keywords used for SEO poisoning (Exhibit 4).
If a targeted victim clicks on one of the two download options, they will get multiple redirects to different webpages (Exhibit 5) hosting the loading icon to make it look as if the webpage is legitimately generating a document for the user to download (Exhibit 6).
The end-user is presented with the fake Google Drive download page after all the redirects (Exhibits 7-8). The URL for the final download page changes every time the user initiates a new download or clicks on a “Download” button. We have observed that most of the domains used by SolarMarker threat actor(s) are hosted on Freenom.
Further analysis by eSentire’s TRU team discovered the obfuscated JavaScript script embedded in the source code of the download page (Exhibit 9). One of the decryption functions has the name “h, u, n, t, e, r”. We were able to find the same obfuscation technique being reproduced by another security researcher.
The de-obfuscated script (Exhibit 10) was responsible for redirecting the user to another URL if there is no interaction observed from the user within a certain amount of time. The redirect URL appends the total number of mouse events from the end-user after the “udh=” value. The URL appears to be empty from what we have observed.
TRU has observed that the threat actor(s) replaced their Google Drive landing pages with a fake Microsoft page (Exhibit 11).
Threat actor(s) used the image from a PDF conversion software advertised on HiAppHere Market as a part of the landing page. The next page where the victim will be redirected to download the payload is also embedded within the landing page (the embedded URL is different each time the landing page is generated), as seen in Exhibit 12.
However, attempting to download the payload twice from the same browser did not prove to be successful, so we worked off the hypothesis that there was a fingerprinting mechanism to prevent researchers from downloading payload samples.
Further analysis led to an interesting URL used in the iframe (an HTML element that embeds another HTML page within the current one). The embedded URL contains FingerprintJS (browser fingerprinting library) JavaScript snippet that provisions a visitor an identifier (Exhibit 13). Every visitor gets a unique visitorID hash value, which is calculated from multiple browsers. The hash is identical for the same browser and the same device whether the user is visiting from Incognito (private) mode or not.
As such, the user is only able to download the payload once from the same browser.
After we made a second attempt to download the payload, we acquired a file masquerading as a PDF and DOCX file filled with gibberish data (Exhibit 14).
At the time of this analysis, the downloaded payloads analyzed are over 200MB in size and come in the form of EXE and MSI files. Most sandboxes have size limitations for the uploaded files. eSentire TRU assesses the chances as almost certain that the SolarMarker payloads are compiled in large sizes for sandbox evasion.
The file we analyzed is a 32-bit executable (262 MB in size). The original name of the file is IOSdyabisytda.exe. We have been consistently observing that the threat actor(s) are using the same name for initial payloads.
SHA-256: 85fb7076044071a28afb43bec12e4f8ce93525132b2ae512934529f9f09895a5
The compiled date is November 12, 2021.
The file is signed by DigiCert to Outer Join Srl. The eSentire TRU team has observed that SolarMarker is leveraging DigiCert and SSL.com for digital signatures. The payloads were seen to go under the following signer names:
Interestingly, we found another sample on MalwareBazaar attributed to Arkei Stealer using Outer Join Srl for the signer's name. Both certificates for SolarMarker and Arkei Stealer were issued by DigiCert and were valid from 8/16/2021 to 8/13/2022.
Upon execution of the initial payload, the decoy file named with 8 random characters is created from the folder where the payload was downloaded to as well as under the path C:\Users\*\AppData\Roaming\Free PDF Soulutions. The decoy file is disguised as PDF Merge software (Exhibit 15). The infection chain is shown in Exhibit 16.
In the past, we have observed that SolarMarker delivered Classic PDF Editor, Wondershare PDFelement, and PDFsam as decoys.
It is worth noting that the core functionality lays within the function that runs the PowerShell script shown in Exhibit 17.
Below, we will demonstrate how the aforementioned PowerShell script works.
The payload registers a randomly named extension key under Computer\HKEY_CLASSES_ROOT\ (Exhibit 18).
The file extension key is pointed to the handler key. The handler key contains the PowerShell command (Exhibit 19) responsible for decrypting the payload located under a randomly named folder under %TEMP% directory (Exhibit 20).
The threat actor(s) changed their payload encryption and decryption methods to use AES. We have observed SolarMarker decrypting the payload using the XOR key in the past (Figure 21).
After the payload is decrypted, the SolarMarker backdoor runs in memory under the powershell.exe process and reaches out to the C2 IP 146.70.53.153.
SolarMarker comes in two different modules:
Thus far, eSentire TRU has observed that the majority of SolarMarker deployments result in backdoor deployments as it provides the threat actor(s) with the option to deliver additional payloads. The backdoors are obfuscated with .NET DLLs (Dynamic Link Libraries).
In April 2021, SolarMarker backdoors were relatively easy to spot (Exhibit 22). However, since April, the threat actor(s) have further developed their capabilities to include extra layers of obfuscation to challenge security researchers conducting analyses (Exhibit 23).
The most recent backdoor (SHA-256: eeecc2bd75ec77db22de5c47efe1fbef63c6b310d34bac6e3b049eef7f86c90b) that was compiled on April 4, 2022 came with more obfuscation and a bigger file size (578KB) than the previous backdoor we observed in March 2022 (142KB).
SolarMarker is encrypting all the traffic to C2 Servers using a hard-coded RSA key and a symmetric AES CBC (Cipher Block Chaining) algorithm (Exhibit 24).
The hard-coded RSA key is obfuscated in the recent sample (Exhibit 25).
The following are the examples of the hard-coded RSA keys from two recently analyzed samples.
Sample in March 2022:
<RSAKeyValue> <Modulus>miX5pqHHoi4bCmFMVXn011knsHqrax4gkkfzIRjmgoY+e3ZoZxGrv0iFR51Pfr2tC+L38rejzLcTQu1af/5gV8axXDvEtQOBcW0nHQE+kjxbOG1r78I0ooChd4ZVoSnbWfUJU/2a2FFathdVm4L8CAbQ67+K7wJ1mrHp1pVnWW/1GsZNbE+QLN3rvyBCK4Zfm943AgCM5KD7GKADr0pBkWuoIu1C9ja3CZokjg7BzztItzni1f0gBdr26SMi0YDHn8zRLTfZ9MzSNstYzdkfG4zkkO3gyyohXSBGgZBgz4V52/b61Wbt4o6IKedhuOfQZ9u47icSJMannC/MXCEKEw== </Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue>
Sample in April 2022 (de-obfuscated):
<RSAKeyValue> <Modulus>1Jdz6XZ+pS1/3M6Ckgp80OODMqYyvFp7GY30flJPdAiNnsXg171wHz+rBtU5dHPCiEtHSf/Qh59ocgFPEMKcbsUErt1bmqcRcwr9B6GChYT5jvngEQU2wNuqbzFPYOB5Nou/8ORt6TmpVPQtibHXrHoi4GDgX4TqcI8ikPRsmLU7d5XZKV6jVyLFw00gPFBwjLHJjC9qa0j2nsI7oGBuPXS86xpI/uhqPdDVDo6aBFc/aeVq+RUK0A2ZUnM6z6IcIX9BlRQ4fr9FMthvkn1Ki1T8bvubzebuS4l7//0gXMoRjvrJMtANSryjh1zo/1G2u25nZIPsmgHCtBtoDBBUMQ== </Modulus> <Exponent>AQAB</Exponent> </RSAKeyValue>
The backdoor conducts enumeration of the infected machine, and then exfiltrates the data in a JSON format to the C2 Server. The following are the examples of the most recent JSONs being sent out to the C2:
{"action":"ping","hwid":"91NUSI6GCG34GIUNY1LDBDXVC7F8ILXY","pc_name":"","os_name":"Win 10","arch":"x64","rights":"-","version":"MR_3/B","workgroup":"? | ?","dns":0,"protocol_version":2}
{"action":"get_file","hwid":"(),"task_id":"(),"protocol_version":2}
{"action":"ping","hwid":"98GIWW5X3CY8G90WAAYVL6595WE2H8UQ","pc_name":" ","os_name":"Win 10","arch":"x64","rights":"-","version":"AP_1/B","workgroup":"? | ?","dns":0,"protocol_version":2}
The collected information includes machine name, OS version, system architecture (x64 or x86), user rights (Admin or Users), workgroup, DNS, and protocol version. In addition, the following can be identified:
The following pattern identifies the status from the C2 (“file” or “idle”). The status file means the C2 is going to send the payload to the infected machine that can be either an executable (.exe) or a PowerShell script (.ps1). The additional payloads will be written to the %TEMP% folder. The payload also appends a unique base64-encoded hash that is different for each communication between the C2 Server and infected machine.
{"status": "idle", "uniq_hash": "J3FutDyWOcLByw=="}
The command value is used to invoke the fetched PowerShell script from C2 (Exhibit 26).
We can see the crypto wallet stealing capability in the Module.Main class (Exhibit 27).
The list of targeted crypto wallets includes:
The SolarMarker infostealer also has the capability to steal VPN and RDP configurations as well as cookies and browser credentials from Opera, Brave, Microsoft Edge, Mozilla Firefox, and Google Chrome since browsers store passwords and cookies in an encrypted form.
Unfortunately, it does not take the infostealer a lot of effort to decrypt the passwords and cookies. Some of the main prerequisites needed to decrypt browser credentials and cookies are shown in Exhibit 28.
The infostealer then calls the CryptUnprotectData function to decrypt the data.
The infostealer fingerprints OS information and sends it to the C2 using the similar pattern as we mentioned before in the backdoor. Communication with C2 channels is also similar with the backdoor using a hard-coded RSA key and symmetric AES CBC algorithm.
Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a full-scale response approach to combat modern cybersecurity threats by deploying countermeasures, such as:
Our detection content is supported by investigation runbooks, ensuring our SOC analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.
We recommend implementing the following controls to help secure your organization against the SolarMarker malware:
While the TTPs used by adversaries grow in sophistication, so does your organizations defenses. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.
eSentire’s TRU team is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.
Name | Indicators |
C2 | 37.120.237[.]251 |
C2 | 37.120.233[.]92 |
C2 | 45.42.201[.]248 |
C2 | 92.204.160[.]233 |
C2 | 146.70.40[.]236 |
C2 | 146.70.53[.]153 |
C2 | 146.70.101[.]97 |
C2 | 146.70.88[.]119 |
C2 | 188.241.83[.]61 |
C2 | 86.106.20[.]155 |
Types-Of-Writs-Texas.exe | 85fb7076044071a28afb43bec12e4f8ce93525132b2ae512934529f9f09895a5 |
Accounting-For-Contract-Cancellation-Fees-Aspe.exe | 11543f09c416237d92090cebbefafdb2f03cec72a6f3fdedf8afe3c315181b5a |
Mto-Medical-Review-Form.exe | 7cc35fbce4b353c541f1ee62366248cc072d1c7ce38b1d5ef5db4a2414f26e08 |
Ny-Motion-To-Quash-Third-Party-Subpoena.msi | 1ed9469724b3ba2891dc0efee29b1de93054601cb44aaf433c2b5860884dfa71 |
Bullet-Statements-For-Ncoer.msi | 57171e869512862baa9e4fd15b18c1d577a31f2ca20b47435f138f989bca2d72 |
Metlife-Disability-Waiver-Of-Premium-Benefit-Rider.msi | bc7986f0c9f431b839a13a9a0dfa2711f86e9e9afbed9b9b456066602881ba71 |
Free-Business-Partner-Contract-Template.msi | 0adfbce8a09d9f977e5fe90ccefc9612d1d742d980fe8dc889e10a5778592e4d |
London-Two-Party-Consent.exe | af0220126a369878bda6f4972d8d7534964dea73142c18e439a439373f67ec21 |
Tower-Crane-Dismantling-Method-Statement.xe | d7067ecb291c79ccd3a4d745413b85451ca26b92015a45f9ed6e5304ac715299 |
deimos.dll (SolarMarker backdoor) | 586607b7d094e4acb3373d6812e62b870c64d17f18b7c5fd929d4418a61b4f30 |
deimos.dll (SolarMarker backdoor) | 0f0ceeec9f5bca4b257997ed6adf599e8cf5c1c890fb1fa949e6905563152216 |
9af342fe404749aa973fcec40fd4ed44.dll (SolarMarker backdoor) | eeecc2bd75ec77db22de5c47efe1fbef63c6b310d34bac6e3b049eef7f86c90b |
e83a74b0-0d5f-45cf-b53f-6f94e2346951.dll (SolarMarker backdoor observed in August 2021) | 0351dc341644bab0fff06d882510255941c9f3eb44dcdd444a54f68fbcd2d62c |
7aa897bd-8618-4569-be79-d5ec94156c87.dll (SolarMarker Infostealer) | fb6c91bcf21a2cb7252672c77f85585fdc3ff6f74486a4370d566a75c146a45a |
The Yara rule for the malicious DLL and the executable:
import "pe" rule SolarMarker_backdoor { meta: author = "eSentire TI" date = "04/13/2022" version = "1.0" strings: $string1 = "ezkabsr" wide fullword nocase $string3 = "deimos.dll" wide fullword nocase $string4 = "solarmarker.dat" wide fullword nocase $string5 = "dzkabr" wide fullword nocase $string6 = "Invoke" $string7 = "set_UseShellExecute" condition: 2 of ($string*) and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) } import "pe" rule SolarMarker_stealer { meta: author = "eSentire TI" date = "04/13/2022" version = "1.0" strings: $string1 = "exodus.wallet" wide fullword nocase $string2 = "*wallet*.dat" wide fullword nocase $string3 = "*.rdp" wide fullword nocase $string4 = "default.rdp" wide fullword nocase $string5 = "\\atomic\\Local Storage\\leveldb" $string6 = "\\Login Data" $string7 = "uniq_hash" wide fullword nocase condition: 5 of ($string*) and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) } import "pe" rule SolarMarker_payload { meta: author = "eSentire TI" date = "04/13/2022" version = "1.0" strings: $string1 = "IOSdyabisytda" wide fullword nocase $string2 = "PowerShell" $string3 = "Invoke" $string4 = "ProcessStartInfo" condition: 3 of ($string*) and (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) }
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.