The Solarmarker InfoStealer malware
A new report has revealed a concerning trend where attackers can excel in credential harvesting from sectors such as healthcare and education with the help of a highly modular .NET-based information stealer and keylogger. The sophisticated malicious tool goes under the name of “Solarmarker” and, as per the reports, has been active since September last year.
In a recent technical write-up, the Cisco Talos researchers Andrew Windsor and Chris Neal noted that it seems as if the Solarmarker campaign is being undertaken by a very skilled attacker focused on stealing credentials and residual information from its targets.
What is specific about the Solarmarker malware is that it includes many malicious modules that are moving. One of the most prominent modules is a .NET assembly module that serves as a system profiler and staging ground for C2 communications. The same module also acts as a hosting component for infostealer components like Jupyter and Uran.
The first malware piece that gets deployed into systems thanks to the .NET assembly is famous for the ability to steal a victim’s personal data, and credentials, as well as extract data from their Firefox and Google Chrome browsers. The Uran malware component is a malware payload that has previously been unreported. As per the available information, it operates as a keylogger, allowing the hacker to take the victim’s typed keystrokes.
Talos’ static and dynamic analysis of Solarmarker’s details suggest that a Russian-speaking malicious actor is the one behind the attack campaign, however, it is possible that the malware authors may have deliberately constructed the artifacts in such a way to deceive researchers.
Solarmarker’s reemerging on the malware scene relies on various previously unseen tactics that try to provide as much cover as possible.
Even as the threat actor behind the infection has been using an old SEO trick, which involves the use of search engine optimization (SEO) to increase the visibility of malicious sites and the number of visitors to the infected dropper files, researchers have spotted that the attacker has also implemented various new tactics in an attempt to evade detection.