SolarMarker Impersonates Job Employment Website, Indeed, with a Team Building-themed Lure

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In April 2024, our team of 24/7 SOC Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed (Figure 1).

This deceptive site lured the user into downloading what appeared to be a legitimate document, but instead initiated the download of the malicious SolarMarker payload. This incident escalated as SolarMarker deployed additional malicious components, including StellarInjector and SolarPhantom.

Previously, SolarMarker embedded its backdoor in the code. Recently, however, SolarMarker has started embedding the backdoor in the resource section (Figure 2) of the file encrypted with the AES encryption algorithm. Upon execution of the initial payload, the fake error will be displayed (Figure 3).

The backdoor connects to the C2 servers at 2.58.15[.]118 and 146.70.80[.]83.

Upon the successful connection to the backdoor server, the threat actors delivered the StellarInjector payload (MD5: 0440b3fbc030233b4e9c6748eba27e4d) that is responsible for injecting SolarPhantom (MD5: 6bef5498c56691553dc95917ff103f5e) into SearchIndexer.exe process (Figure 4).

SolarPhantom features info stealing and hVNC (hidden virtual network computing) capabilities.

The backdoor configuration is as follows:

{"action":"ping","hwid":REDACTED,"pc_name":"?","os_name":"Win 10","arch":"x86","rights":"-","version":"MAY-3","workgroup":"? | ?","dns":0,"protocol_version":2}

RSA Public Key Value:

<RSAKeyValue><Modulus>usPbW3syIiYE/Q6GYhcFO7vq2XZ6lDXvSEYX9H0RgMdBNOhY7quUbYwDPbGzTm0TOLIe+lH3arGznRRs5WxTOaqa4U2J0d5Dm1tntCAHNvDtcn1S8rTTcYmj5JyG6471RnKBBiawGiCzf4TEAU49KthADkt4RT8C5rMzl8ElxxzktM7iY5RQfKuRgAXq8JLJsmvKGDqFLtbyqI7tBdjWYApMTjLUgY6fc2H7Dhs/fJfi8s7eg1EFbFKqdc7H7wqS44we/9GX0JxrCfxiyiZJaOhLmzYDrId6OnkSQ7ChXqlLGAkrKKS2YZMX23/XHxShEKDLItupTtKCoFRtSspdfQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>

For SolarPhantom, the browsing data is staged within a folder in the %TEMP% directory. The folder's name is the 10-digit value, for example "3619417678". The filename is generated based on the following:

• The function retrieves a byte from the input data. The data includes a path to the user's browser profile, appended with the string "saturn" and the location of the Firefox executable, for example:
  • "C:\\Users\\username\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\6ukz113v.default-releasesaturnC:\\Program Files\\Mozilla Firefox\\firefox.exe"
• The byte is then XORed with the least significant byte (LSB) of v1 value after it has been shifted to the right by 8 bits. This operation will produce an index that will be used to access a specific value in the CRC32 lookup table.
• The value retrieved from the lookup table is XORed with the v1 value. This XOR operation updates v1 to a new value.

We have observed SolarMarker using two different certificates for the initial payload:

• Ameri Mode Inc. (Issuer: DigiCert)
• SMART AC VIET NAM TM & DV JOINT STOCK COMPANY (Issuer: GlobalSign)

What did we do?

Our team of 24/7 SOC Cyber Analysts isolated the affected host, notified the customer of suspicious activities, and provided remediation support.

What can you learn from this TRU Positive?

• By deploying additional components like StellarInjector and SolarPhantom, the attackers enhanced their capabilities for system compromise and data exfiltration.
• SolarMarker utilizes search engine optimization (SEO) poisoning techniques to manipulate search engine results and boost the visibility of deceptive links.
  • The attackers' use of SEO tactics to direct users to malicious sites underscores the importance of being cautious about clicking on search engine results, even if they appear legitimate.
• The incident emphasizes the danger of malicious websites impersonating well-known legitimate sites like Indeed. In this case, enterprise users appeared to be the preferred target given the keywords targeted and impersonation of the Indeed brand.
  • Users should also be vigilant and verify the authenticity of websites before downloading any files.
• The use of legitimate certificates, such as those signed by DigiCert and GlobalSign, for the initial payload indicates the need to scrutinize digital certificates and the entities using them thoroughly.
• The case highlights the critical need for continuous vigilance, threat intelligence, and proactive defense measures, including regular security updates and employee training to recognize and respond to potential threats.

Recommendations from our Threat Response Unit (TRU):

We recommend implementing the following controls to help secure your organization against SolarMarker:

• Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
• Implement a Phishing and Security Awareness Training (PSAT) Program that educates and informs your employees on emerging threats in the threat landscape.
• Encourage your employees to use password managers instead of using the password storage feature provided by web browsers. Use master passwords where applicable.
• Report certificate misuse.

Indicators of Compromise

You can access Indicators of Compromise here.

References

• https://www.esentire.com/blog/solarmarker-to-jupyter-and-back
• https://github.com/esThreatIntelligence/iocs/blob/main/SolarMarker/iocs_5-31-2024.txt