Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
eSentire has observed a recent and significant increase in SolarMarker infections delivered through drive-by download attacks. These attacks rely on social engineering techniques to persuade users to execute malware disguised as document templates. SolarMarker is a modular information-stealing malware; infections may result in the theft of sensitive data including user credentials.
eSentire is sharing details on these attacks, including indicators of compromise to increase awareness of this threat across our customers.
SolarMarker is a modular information-stealing malware distributed through drive-by attacks. The malware is under active development and is highly evasive and difficult to detect.
Victims are lured to malicious web pages via search engine results, often for document templates. For example, a user might search for a work-from-home policy guide and arrive on a SolarMarker delivery site. SolarMarker operators seed their websites with specific keywords which will flag in search results on popular search engines such as Google. Upon clicking on a search result, the user is presented with the option to download a PDF or Word version of the document they are seeking. Instead of a document, they are presented with a malicious executable (.exe) or Microsoft Installer (.msi) file.
After successful execution, a generic decoy document is opened on the desktop:
When file extensions are hidden, SolarMarker appears in file explorer as a PDF (note the “type” field indicates it is an application).
When file extensions are shown, it is more apparent the file is not a PDF document:
A recent variant of this attack leverages Microsoft Installer files (.msi). These are not as well-disguised as documents, but they have still been successfully executed by victims.
SolarMarker .msi file with file extensions hidden:
SolarMarker .msi file with file extensions shown:
partnerinsignia[.]site
pdfdocdownloadspanel[.]site
146.70.24.173
167.88.15.115
185.236.203.153
185.244.213.64
23.108.57.102
23.29.115.175
37.120.237.251
37.120.247.199
45.42.201.248
03346A959C12EC00BF849A985A297ACE
0491CD2715E86E3D4B04F34A0DB03EF1
209A4C5F64BEDDCE266FA4CFBD61E7FF
34FB289E9FEE64CD7D4B588F0AF35A87
8693B9CFB8B4C466AE12CCDC2FEB46CE
C4772D76029004A5512EA6E2FF3BE39B
F4DD5F920BAC97CC0DE7AEA669E64DED
References:
[1] https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire
[2] https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html
[3] https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer
[4] https://squiblydoo.blog/2021/05/02/mars-deimos-solarmarker-jupyter-infostealer-part-1/