eSentire Threat Intelligence Malware Analysis: SolarMarker

Since first emerging in 2020, SolarMarker (aka: Jupyter, Polazert, Yellow Cockatoo) remains one of the most successful malware campaigns, relying heavily on social engineering through search engine optimization (SEO). SolarMarker has significantly developed its capabilities since it first appeared in the wild – from C2 communication that is challenging to decrypt, to obfuscation that slows down malware analysis.

SolarMarker has two major capabilities, it installs a backdoor or an infostealer as soon as the victim runs the payload. Both SolarMarker’s modules can damage organizations as the backdoor can be leveraged by attacker(s) to deploy additional malware or steal sensitive information.

This malware continues to remain active in the wild and researchers from Morphisec believe that it is the work of Russian-speaking actor(s). The first admin panel was found hosted on a Russian server Joint Stock company (JSC) "ER-Telecom Holding". The background image of Jupiter from the admin panel that the researchers reversed originating from forums containing Cyrillic.

eSentire has observed a significant increase in SolarMarker infections delivered via drive-by downloads.

SolarMarker Technical Analysis

Distribution

The initial infection occurs with the user visiting a malicious website that is stuffed with keywords to deceive search engines to get a higher search ranking (Exhibit 1).

At the time of this analysis, eSentire’s TRU team has observed that the malicious payload is delivered via two methods:

1. Google Groups Pages
2. Compromised WordPress webpages (the malicious download lures are uploaded through Formidable with the following path "/wp-content/uploads/formidable/", which is the default file uploads page)

The example of the payload distribution via Google Groups Pages is shown in Exhibit 2.

We observed that the attacker(s) did a bulk upload of the payloads (501 files) on August 8, 2021 (Exhibit 3).

Below is an example of a compromised WordPress website hosting the payload, the third page contains the keywords used for SEO poisoning (Exhibit 4).

If a targeted victim clicks on one of the two download options, they will get multiple redirects to different webpages (Exhibit 5) hosting the loading icon to make it look as if the webpage is legitimately generating a document for the user to download (Exhibit 6).

The end-user is presented with the fake Google Drive download page after all the redirects (Exhibits 7-8). The URL for the final download page changes every time the user initiates a new download or clicks on a “Download” button. We have observed that most of the domains used by SolarMarker threat actor(s) are hosted on Freenom. 

Further analysis by eSentire’s TRU team discovered the obfuscated JavaScript script embedded in the source code of the download page (Exhibit 9). One of the decryption functions has the name “h, u, n, t, e, r”. We were able to find the same obfuscation technique being reproduced by another security researcher.

The de-obfuscated script (Exhibit 10) was responsible for redirecting the user to another URL if there is no interaction observed from the user within a certain amount of time. The redirect URL appends the total number of mouse events from the end-user after the “udh=” value. The URL appears to be empty from what we have observed.

TRU has observed that the threat actor(s) replaced their Google Drive landing pages with a fake Microsoft page (Exhibit 11).

Threat actor(s) used the image from a PDF conversion software advertised on HiAppHere Market as a part of the landing page. The next page where the victim will be redirected to download the payload is also embedded within the landing page (the embedded URL is different each time the landing page is generated), as seen in Exhibit 12.

However, attempting to download the payload twice from the same browser did not prove to be successful, so we worked off the hypothesis that there was a fingerprinting mechanism to prevent researchers from downloading payload samples.

Further analysis led to an interesting URL used in the iframe (an HTML element that embeds another HTML page within the current one). The embedded URL contains FingerprintJS (browser fingerprinting library) JavaScript snippet that provisions a visitor an identifier (Exhibit 13). Every visitor gets a unique visitorID hash value, which is calculated from multiple browsers. The hash is identical for the same browser and the same device whether the user is visiting from Incognito (private) mode or not.

As such, the user is only able to download the payload once from the same browser.

After we made a second attempt to download the payload, we acquired a file masquerading as a PDF and DOCX file filled with gibberish data (Exhibit 14).

Infection

At the time of this analysis, the downloaded payloads analyzed are over 200MB in size and come in the form of EXE and MSI files. Most sandboxes have size limitations for the uploaded files. eSentire TRU assesses the chances as almost certain that the SolarMarker payloads are compiled in large sizes for sandbox evasion.

The file we analyzed is a 32-bit executable (262 MB in size). The original name of the file is IOSdyabisytda.exe. We have been consistently observing that the threat actor(s) are using the same name for initial payloads.

SHA-256: 85fb7076044071a28afb43bec12e4f8ce93525132b2ae512934529f9f09895a5

The compiled date is November 12, 2021.

The file is signed by DigiCert to Outer Join Srl. The eSentire TRU team has observed that SolarMarker is leveraging DigiCert and SSL.com for digital signatures. The payloads were seen to go under the following signer names:

• OOO LEVELAP
• OOO ENDI
• Decapolis Consulting Inc.
• Divertida Creative Limited
• Zimmi Consulting Inc.
• Walden Intertech Inc.

Interestingly, we found another sample on MalwareBazaar attributed to Arkei Stealer using Outer Join Srl for the signer's name. Both certificates for SolarMarker and Arkei Stealer were issued by DigiCert and were valid from 8/16/2021 to 8/13/2022.

Upon execution of the initial payload, the decoy file named with 8 random characters is created from the folder where the payload was downloaded to as well as under the path C:\Users\*\AppData\Roaming\Free PDF Soulutions. The decoy file is disguised as PDF Merge software (Exhibit 15). The infection chain is shown in Exhibit 16.

In the past, we have observed that SolarMarker delivered Classic PDF Editor, Wondershare PDFelement, and PDFsam as decoys.

It is worth noting that the core functionality lays within the function that runs the PowerShell script shown in Exhibit 17.

1. This command is responsible for converting letters to upper and lower cases.
2. This command is responsible for creating a directory under %TEMP% folder.
3. This command is responsible for creating a .LNK file that contains the encrypted backdoor or infostealer under Startup (persistence mechanism).
4. This function is responsible for decrypting the SolarMarker backdoor using AES (Advanced Encryption Standard), also known as Rijndael.
5. This command is responsible for registering a file extension key (this is used so the file can be called out from a PowerShell script later).
6. This command is responsible for writing the payload content and executing it.

Below, we will demonstrate how the aforementioned PowerShell script works.

The payload registers a randomly named extension key under Computer\HKEY_CLASSES_ROOT\ (Exhibit 18).

The file extension key is pointed to the handler key. The handler key contains the PowerShell command (Exhibit 19) responsible for decrypting the payload located under a randomly named folder under %TEMP% directory (Exhibit 20).

The threat actor(s) changed their payload encryption and decryption methods to use AES. We have observed SolarMarker decrypting the payload using the XOR key in the past (Figure 21).

After the payload is decrypted, the SolarMarker backdoor runs in memory under the powershell.exe process and reaches out to the C2 IP 146.70.53.153.

SolarMarker comes in two different modules:

• SolarMarker Backdoor
• SolarMarker Infostealer

SolarMarker Backdoor

Thus far, eSentire TRU has observed that the majority of SolarMarker deployments result in backdoor deployments as it provides the threat actor(s) with the option to deliver additional payloads. The backdoors are obfuscated with .NET DLLs (Dynamic Link Libraries).

In April 2021, SolarMarker backdoors were relatively easy to spot (Exhibit 22). However, since April, the threat actor(s) have further developed their capabilities to include extra layers of obfuscation to challenge security researchers conducting analyses (Exhibit 23).

The most recent backdoor (SHA-256: eeecc2bd75ec77db22de5c47efe1fbef63c6b310d34bac6e3b049eef7f86c90b) that was compiled on April 4, 2022 came with more obfuscation and a bigger file size (578KB) than the previous backdoor we observed in March 2022 (142KB).

SolarMarker is encrypting all the traffic to C2 Servers using a hard-coded RSA key and a symmetric AES CBC (Cipher Block Chaining) algorithm (Exhibit 24).

The hard-coded RSA key is obfuscated in the recent sample (Exhibit 25).

The following are the examples of the hard-coded RSA keys from two recently analyzed samples.

Sample in March 2022:

<RSAKeyValue>
<Modulus>miX5pqHHoi4bCmFMVXn011knsHqrax4gkkfzIRjmgoY+e3ZoZxGrv0iFR51Pfr2tC+L38rejzLcTQu1af/5gV8axXDvEtQOBcW0nHQE+kjxbOG1r78I0ooChd4ZVoSnbWfUJU/2a2FFathdVm4L8CAbQ67+K7wJ1mrHp1pVnWW/1GsZNbE+QLN3rvyBCK4Zfm943AgCM5KD7GKADr0pBkWuoIu1C9ja3CZokjg7BzztItzni1f0gBdr26SMi0YDHn8zRLTfZ9MzSNstYzdkfG4zkkO3gyyohXSBGgZBgz4V52/b61Wbt4o6IKedhuOfQZ9u47icSJMannC/MXCEKEw==
</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>

Sample in April 2022 (de-obfuscated):

<RSAKeyValue>
<Modulus>1Jdz6XZ+pS1/3M6Ckgp80OODMqYyvFp7GY30flJPdAiNnsXg171wHz+rBtU5dHPCiEtHSf/Qh59ocgFPEMKcbsUErt1bmqcRcwr9B6GChYT5jvngEQU2wNuqbzFPYOB5Nou/8ORt6TmpVPQtibHXrHoi4GDgX4TqcI8ikPRsmLU7d5XZKV6jVyLFw00gPFBwjLHJjC9qa0j2nsI7oGBuPXS86xpI/uhqPdDVDo6aBFc/aeVq+RUK0A2ZUnM6z6IcIX9BlRQ4fr9FMthvkn1Ki1T8bvubzebuS4l7//0gXMoRjvrJMtANSryjh1zo/1G2u25nZIPsmgHCtBtoDBBUMQ==
</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>

The backdoor conducts enumeration of the infected machine, and then exfiltrates the data in a JSON format to the C2 Server. The following are the examples of the most recent JSONs being sent out to the C2:

{"action":"ping","hwid":"91NUSI6GCG34GIUNY1LDBDXVC7F8ILXY","pc_name":"","os_name":"Win 10","arch":"x64","rights":"-","version":"MR_3/B","workgroup":"? | ?","dns":0,"protocol_version":2}

{"action":"get_file","hwid":"(),"task_id":"(),"protocol_version":2}

{"action":"ping","hwid":"98GIWW5X3CY8G90WAAYVL6595WE2H8UQ","pc_name":" ","os_name":"Win 10","arch":"x64","rights":"-","version":"AP_1/B","workgroup":"? | ?","dns":0,"protocol_version":2}

The collected information includes machine name, OS version, system architecture (x64 or x86), user rights (Admin or Users), workgroup, DNS, and protocol version. In addition, the following can be identified:

• action – commands sent from the C2 channel (e.g., command get_file to retrieve additional payloads from C2)
• hwid – a unique victim’s ID
• version – version of SolarMarker backdoor
• task_id – is likely assigned by the C2 to mark the ID for the specific task

The following pattern identifies the status from the C2 (“file” or “idle”). The status file means the C2 is going to send the payload to the infected machine that can be either an executable (.exe) or a PowerShell script (.ps1). The additional payloads will be written to the %TEMP% folder. The payload also appends a unique base64-encoded hash that is different for each communication between the C2 Server and infected machine.

{"status": "idle", "uniq_hash": "J3FutDyWOcLByw=="}

The command value is used to invoke the fetched PowerShell script from C2 (Exhibit 26).

SolarMarker Infostealer

We can see the crypto wallet stealing capability in the Module.Main class (Exhibit 27).

The list of targeted crypto wallets includes:

• Atomic
• Guarda
• SimpleOS
• Neon
• Wasabi
• MyMonero
• Jaxx
• Electrum
• Ethereum
• Exodus
• GreenAddress
• CoinWallet
• Coinomi
• LedgerLive
• Trinity
• Scatter

The SolarMarker infostealer also has the capability to steal VPN and RDP configurations as well as cookies and browser credentials from Opera, Brave, Microsoft Edge, Mozilla Firefox, and Google Chrome since browsers store passwords and cookies in an encrypted form.

Unfortunately, it does not take the infostealer a lot of effort to decrypt the passwords and cookies. Some of the main prerequisites needed to decrypt browser credentials and cookies are shown in Exhibit 28.

• Local State – file that contains the browser’s configuration including encrypted DPAPI (Data Protection API) encryption key.
• Login Data – sqlite3 database that stores user’s encrypted passwords, URLs, and username.
• os_crypt and encrypted_key – the DPAPI encryption key extracted from Local State file and base64-decoded.

The infostealer then calls the CryptUnprotectData function to decrypt the data.

The infostealer fingerprints OS information and sends it to the C2 using the similar pattern as we mentioned before in the backdoor. Communication with C2 channels is also similar with the backdoor using a hard-coded RSA key and symmetric AES CBC algorithm.

How eSentire is Responding

Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create practical outcomes for our customers. We are taking a full-scale response approach to combat modern cybersecurity threats by deploying countermeasures, such as:

• Implementing threat detections and BlueSteel, our machine- learning powered PowerShell classifier, to identify malicious command execution and exploitation attempts and ensure that eSentire has visibility and detections are in place across eSentire MDR for Endpoint and Network.
• Performing global threat hunts for indicators associated with SolarMarker.

Our detection content is supported by investigation runbooks, ensuring our SOC analysts respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures (TTPs). In addition, TRU closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess customer impact.

Recommendations from eSentire’s Threat Response Unit (TRU)

We recommend implementing the following controls to help secure your organization against the SolarMarker malware:

• Implement a Phishing and Security Awareness Training (PSAT) program that educates the employees about the threat landscape.
  • Train users to recognize ‘normal’ file extensions from ‘abnormal’ extensions.
  • Encourage your employees to use password managers instead of using the password storage feature provided by web browsers.
  • Review eSentire’s blogs and Security Advisories to stay up to date on the latest threats and trends impacting the threat landscape.
• Confirm that all devices are protected by ensuring that anti-virus signatures are up-to-date and using a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain threats.
• Ensure the role-based access control (RBAC) that restricts system access to authorized users is in place.

While the TTPs used by adversaries grow in sophistication, so does your organizations defenses. Preventing the various attack paths utilized by the modern threat actor requires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during active intrusions.

eSentire’s TRU team is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.

If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your business ahead of disruption.

Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire Security Specialist.

Appendix

• https://unit42.paloaltonetworks.com/solarmarker-malware/
• https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/
• https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction

Indicators of Compromise

Yara Rules

The Yara rule for the malicious DLL and the executable:

import "pe"
rule  SolarMarker_backdoor {
    meta:
        author = "eSentire TI"
        date = "04/13/2022"
        version = "1.0"
    strings:
        $string1 = "ezkabsr" wide fullword nocase
        $string3 = "deimos.dll" wide fullword nocase
        $string4 = "solarmarker.dat" wide fullword nocase
        $string5 = "dzkabr" wide fullword nocase
        $string6 = "Invoke"
        $string7 = "set_UseShellExecute"
    condition:
        2 of ($string*) and
        (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)        
}

import "pe"
rule  SolarMarker_stealer {
    meta:
        author = "eSentire TI"
        date = "04/13/2022"
        version = "1.0"
    strings:
        $string1 = "exodus.wallet" wide fullword nocase
        $string2 = "*wallet*.dat" wide fullword nocase
        $string3 = "*.rdp" wide fullword nocase
        $string4 = "default.rdp" wide fullword nocase
        $string5 = "\\atomic\\Local Storage\\leveldb"
        $string6 = "\\Login Data"
        $string7 = "uniq_hash" wide fullword nocase
    condition:
        5 of ($string*) and
        (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)        
}

import "pe"
rule  SolarMarker_payload {
    meta:
        author = "eSentire TI"
        date = "04/13/2022"
        version = "1.0"
    strings:
        $string1 = "IOSdyabisytda" wide fullword nocase
        $string2 = "PowerShell" 
        $string3 = "Invoke"
        $string4 = "ProcessStartInfo"
    condition:
        3 of ($string*) and
        (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f)        
}