The Oncoming Wave of SolarMarker

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

Since November 2023, the eSentire Threat Response Unit (TRU) have observed a significant increase in SolarMarker infections across the clients within the insurance, manufacturing, software, construction, real estate, utilities, and legal industries.

eSentire TRU has tracked SolarMarker since 2021. In recent cases, SolarMarker's threat actor has alternated between Inno Setup and PS2EXE tools to generate payloads. Additionally, payloads generated using PS2EXE were modified using several string replacements on the file, seen in Figures 1 and 2.

The PowerShell script extracted can be seen in Figure 3. This script is designed to write 0 bytes to the decoy PDF named “EULA.pdf,” causing an error when the infected machine tries to open the PDF file. The payload within the script is encrypted using Advanced Encryption Standard (AES). After successfully decrypting the payload, the script will invoke specific class and method names.

SolarMarker’s decrypted payload has changed slightly from the one we described in our previous blog. With the recent payloads, the threat actor added more junk instructions (Figure 4), as can be seen in Figure 5 where junk byte arrays are present.

The string encryption method still remains the same as described in the previous blog.

Upon successful infection, SolarMarker loads second-stage payloads including infostealers and hVNC.

What did we do?

Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the customer of suspicious activities.

Detection Rules

You can access Yara rules for SolarMarker here.

What can you learn from this TRU Positive?

• SolarMarker's significant increase in infections across various industries, including insurance, manufacturing, software, and others, demonstrates its wide-reaching impact. This indicates a need for cross-industry awareness and preparedness against such threats.
• The SolarMarker threat actor's alternating use of Inno Setup and PS2EXE tools, along with slight modifications to the executables, reflects their evolving tactics. This highlights the importance of staying updated on threat actor methodologies for better cybersecurity defenses.
• The consistency of the string encryption method used by SolarMarker over time suggests a pattern that can be leveraged for detection. Understanding these encryption techniques can aid in developing more robust security measures.
• The loading of second-stage payloads like infostealers and hVNC upon successful infection with SolarMarker underscores the multi-layered approach in modern malware. Recognizing such strategies is crucial for comprehensive threat mitigation.
• The addition of junk instructions and byte arrays in recent payloads indicates an increasing effort by attackers to evade detection and slow down the analysis process. This emphasizes the need for dynamic and adaptable detection mechanisms in cybersecurity tools.

Recommendations from our Threat Response Unit (TRU):

We recommend implementing the following controls to help secure your organization against SolarMarker malware:

• Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.

• Implement a Phishing and Security Awareness Training (PSAT) program that educates and informs your employees on emerging threats in the threat landscape.
• Encourage your employees to use password managers instead of using the password storage feature provided by web browsers. Use master passwords where applicable.

eSentire TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.  

To learn what it means to have an elite team of Threat Hunters and researchers that works for you, connect with an eSentire Security Specialist now. 

Indicators of Compromise

<RSAKeyValue><Modulus>r9ensa/OHF27irVbIoStwHshi0DXxyt4ATicvgCykFs15FcuHFKlzd2K1Z5wAh9bNCRP1nBpAJvgHDMWxHZ9pnYbnKsrP/i0sXcxkMlcYxmzb7ePWT64LVVaV9Zw+e5L4AkrSKSvlb1PfKUQuksT7osEWaQXCX3T0cbNjIuFsYQGoTVtMdQXu0xVd4AXo1yv2VKieGlsCSiuXxd4RN4EshDH5dZR5QJ71GrFuWZoDRaDNMXAq71MInInlXWA2tf75ROvLr1kT863Mk+VmdCFO75bmVq6D+WRwS7T0qyfrth+PClPEbFKmO3IXcAMD1GW77upEWA9bHU4nL93yzMPwQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>

Version:"DE-4".

Digital Signatures used in the payloads we have seen:

• ТОВ "Гейм Трейд"
• ТОВ “Оноп”

References

• https://www.esentire.com/blog/solarmarker-to-jupyter-and-back
• https://github.com/MScholtes/PS2EXE
• https://github.com/RussianPanda95/Yara-Rules/tree/main/SolarMarker