Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Protect assets from ransomware, trojans, rootkits and more.
Intelligence and visibility across AWS, O365, DevOps and more.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Join eSentire as they explore how to build a comprehensive training and…
The Texas Cyber Summit is a multi-track multi-day deeply technical…
Join Dustin Hillard, CTO at eSentire, and Tia Hopkins, VP, Cyber Risk…
eSentire has observed a recent and significant increase in SolarMarker infections delivered through drive-by download attacks. These attacks rely on social engineering techniques to persuade users to execute malware disguised as document templates. SolarMarker is a modular information-stealing malware; infections may result in the theft of sensitive data including user credentials.
eSentire is sharing details on these attacks, including indicators of compromise to increase awareness of this threat across our customers.
SolarMarker is a modular information-stealing malware distributed through drive-by attacks. The malware is under active development and is highly evasive and difficult to detect.
Victims are lured to malicious web pages via search engine results, often for document templates. For example, a user might search for a work-from-home policy guide and arrive on a SolarMarker delivery site. SolarMarker operators seed their websites with specific keywords which will flag in search results on popular search engines such as Google. Upon clicking on a search result, the user is presented with the option to download a PDF or Word version of the document they are seeking. Instead of a document, they are presented with a malicious executable (.exe) or Microsoft Installer (.msi) file.
After successful execution, a generic decoy document is opened on the desktop:
When file extensions are hidden, SolarMarker appears in file explorer as a PDF (note the “type” field indicates it is an application).
When file extensions are shown, it is more apparent the file is not a PDF document:
A recent variant of this attack leverages Microsoft Installer files (.msi). These are not as well-disguised as documents, but they have still been successfully executed by victims.
SolarMarker .msi file with file extensions hidden:
SolarMarker .msi file with file extensions shown: