Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
eSentire's Threat Research Unit (TRU) observed that SolarMarker malware campaigns are now utilizing PyInstaller to hide malicious PowerShell scripts, marking a shift from previous methods such as Inno Setup and PS2EXE.
This evolution underscores the adaptability of threat actors and the necessity for continuous vigilance. In response, our team of 24/7 SOC Cyber Analysts quickly isolated the affected device, preventing further compromise.
In this TRU Positive, we’re sharing a case study that highlights the download of a deceptive PDF from a fake Loma Linda University website, leading to the execution of SolarMarker backdoor.
The user downloaded a malicious file disguised as a PDF document from a website hosted by threat actors. This site, discovered through a search, masqueraded as Loma Linda University (Figure 1).
Executing the initial payload (in our example, it’s named “ChildCareWaiverRequest.exe” (MD5: 02df78385af891a268212f6093b91154)) spawns another process in a suspended mode that is responsible for running the main compiled python file along with dependencies dropped under “C:\Users\username\AppData\Local\Temp\_MEI*” folder (Figure 2).
Upon decompiling the Python file, we notice the constants from the “Names” section, such as b64decode, subprocess, CREATE_NO_WINDOW, etc. This means that the code decodes base64-encoded strings, spawns a new process (powershell.exe), and executes the base64-decoded script within that process (Figure 3).
The CREATE_NO_WINDOW flag is typically used in conjunction with subprocesses to indicate that the window of the executed process should not be displayed.
The first blob of the base64-encoded strings contains the decoy PDF file “~BH-04918471412496586.pdf” (MD5: 3ccb3a9ab45b0f6019c7fcefaea15e8f) shown in Figure 4.
The second blob of base64-encoded strings contains the SolarMarker backdoor that is decrypted using AES (Advanced Encryption Standard) and invokes a method (ROlE12X1RL2rjeOl92VczRp7cwNevbFIEfbyldUMlfayIcoU_Pti8MiNdHKRKX1knWKh09K) from the dynamically loaded assembly (Figure 5).
The SolarMarker malware campaign cleverly combines PowerShell and Python to sneak past basic defenses. Yet, by maintaining oversight of the entire process from start to finish, we can still detect and neutralize these complex malware threats effectively.
What did we do?
Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the client of suspicious activities.
What can you learn from this TRU Positive?
- The SolarMarker malware campaign's shift from using Inno Setup and PS2EXE to PyInstaller for concealing first-stage PowerShell scripts illustrates the threat actors' adaptability and response to detections that exist for SolarMarker.
- This underscores the need for continuous monitoring and updating of security protocols to counter new distribution methods.
- The malicious file, disguised as a legitimate PDF document and distributed via a website mimicking Loma Linda University, demonstrates the sophisticated social engineering tactics employed.
- This highlights the importance of educating users about the risks of downloading files from unverified sources.
- Decompiling the Python file reveals the use of base64 decoding, subprocess spawning, and the CREATE_NO_WINDOW flag to execute PowerShell scripts.
- This information underscores the importance of having the capability to decompile and analyze malware components.
Recommendations from our Threat Response Unit (TRU):
We recommend implementing the following controls to help secure your organization against SolarMarker malware:
- Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
- Implement a Phishing and Security Awareness Training (PSAT) Program that educates and informs your employees on emerging threats in the threat landscape.
- Encourage your employees to use password managers instead of using the password storage feature provided by web browsers. Use master passwords where applicable.
Indicators of Compromise
You can access the indicators here.
To learn how eSentire can help you find exposures and defend your organization, connect with an eSentire Security Specialist now.
GET STARTEDABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.