SolarMarker Malware Targets Healthcare and Education Sectors

A new surge of attacks against the Healthcare and education sectors has been attributed to SolarMarker Malware, a .NET-based information stealer and keylogger. The attacks have gone under the radar, for the most part, owing to the threat actors skills in obfuscation. SolarMarker Malware is believed to have been active since September 2020, with telemetry data pointing to malicious actions as early as April 2020, according to Cisco Talos.

“At its core, the Solarmarker Malware campaign appears to be conducted by a fairly sophisticated actor largely focused on credential and residual information theft,” Talos researchers Andrew Windsor and Chris Neal said in a technical write-up published last week.

According to the report, a Solarmarker Malware infection consists of multiple moving parts, primarily a .NET assembly module that serves as a system profiler and staging ground on the victim host for command-and-control (C2) communications and further malicious actions, including the deployment of information-stealing components like Jupyter and Uran.

The assembly module is capable of stealing personal data, credentials, and form submission values from a targets Firefox or Chrome browsers. The latter acts as a keylogger to capture the victim’s keystrokes.

The renewed use of SolarMarker Malware has been accompanied by a shift in tactics and multiple iterations to the infection chain. Still, the hackers behind the virus still latch to the tactic of SEO poisoning, which refers to the abuse of search engine optimization (SEO) to gain more eyeballs and traction to malicious sites or make their dropper files highly visible in search engine results.

“Operators of the malware known as SolarMarker Malware, Jupyter, [and] other names are aiming to find new success using an old technique: SEO poisoning,” the Microsoft Security Intelligence team disclosed in June. “They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware.

Talos’ static and dynamic analysis of Solarmarker Malware’s artifacts points to a Russian-speaking adversary, although the threat intelligence group suspects the malware creators could have intentionally designed them in such a manner in an attempt to mislead attribution.

“The actor behind the Solarmarker Malware campaign possesses moderate to advanced capabilities,” the researchers concluded. “Maintaining the amount of interconnected and rotating infrastructure and generating a seemingly limitless amount of differently named initial dropper files requires substantial effort.”

“The actor also exhibits determination in ensuring the continuation of their campaign, such as updating the encryption methods for the C2 communication in the Mars DLL after researchers had publicly picked apart previous components of the malware, in addition to the more typical strategy of cycling out the C2 infrastructure hosts.”.

SolarMarker Malware Analysis

Note: This analysis was carried out by CrowdStrike.

Based on observed filenames in public malware repositories (e.g., Advanced-Mathematical-Concepts-Precalculus-With-Applications-Solutions.exe) and Falcon telemetry, the hypothesis is that the malware is delivered as a fake document download targeting users performing web searches for document files. CrowdStrike has observed a number of Google Sites hosted pages as lure sites for malicious downloads. These sites advertise document downloads and are often highly ranked in search results. The use of Google Sites suggests attempts by the threat actors to increase search ranking.

The malware installer filenames and lure sites have only been observed in English so far, and based on Falcon telemetry, it is clear that SolarMarker Malware is most prevalent in Western countries, especially in the U.S.

The executable with SHA256 hash

3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01

is an Inno Setup Installer. This program is the first stage in a multi-stage dropper chain leading to the SolarMarker backdoor. Figure 10 gives an overview of the malware’s dropper chain

The installer uses Inno Setup’s Pascal Scripting feature to customize its actions. It will first extract two temporary files to %Tmp%\.tmp\, where is a unique directory name.

Both files will be deleted once the installer completes. The file Docx2Rtf.exe is the document converter Docx2Rtf version 4.4, a benign file. The file waste.dat is 112 MB in size, but contains only zero bytes, indicating that the file was only included in the installer to increase its size, which is known to prevent detection by some security products. Once these two files are extracted, Docx2Rtf.exeis executed and the installer sleeps for five seconds.

The installer then checks if it is executed on one of its targeted operating system (OS) versions and exits if not. The targeted versions are Windows 8.1, Windows Server 2012 R2, Windows 10 and Windows Server 2016. After being certain about the OS, the installer decrypts a third stage and writes it to %Temp%\.txt, where is a random 32-character hexadecimal string.

The third stage is encrypted twice with different keys, and the installer will only decrypt it once. The decryption function named DECRYPTPS takes in a hex-encoded-encrypted blob and a string-based key and performs a simple XOR operation.