eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
In April 2024, our team of 24/7 SOC Cyber Analysts responded to a SolarMarker infection event. The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed (Figure 1).
This deceptive site lured the user into downloading what appeared to be a legitimate document, but instead initiated the download of the malicious SolarMarker payload. This incident escalated as SolarMarker deployed additional malicious components, including StellarInjector and SolarPhantom.
Figure 1: Infection chain
Previously, SolarMarker embedded its backdoor in the code. Recently, however, SolarMarker has started embedding the backdoor in the resource section (Figure 2) of the file encrypted with the AES encryption algorithm. Upon execution of the initial payload, the fake error will be displayed (Figure 3).
Figure 2: Embedded SolarMarker backdoor in the resource section
Figure 3: Fake error message
The backdoor connects to the C2 servers at 2.58.15[.]118 and 146.70.80[.]83.
Upon the successful connection to the backdoor server, the threat actors delivered the StellarInjector payload (MD5: 0440b3fbc030233b4e9c6748eba27e4d) that is responsible for injecting SolarPhantom (MD5: 6bef5498c56691553dc95917ff103f5e) into SearchIndexer.exe process (Figure 4).
SolarPhantom features info stealing and hVNC (hidden virtual network computing) capabilities.
For SolarPhantom, the browsing data is staged within a folder in the %TEMP% directory. The folder's name is the 10-digit value, for example "3619417678". The filename is generated based on the following:
The function retrieves a byte from the input data. The data includes a path to the user's browser profile, appended with the string "saturn" and the location of the Firefox executable, for example:
The byte is then XORed with the least significant byte (LSB) of v1 value after it has been shifted to the right by 8 bits. This operation will produce an index that will be used to access a specific value in the CRC32 lookup table.
The value retrieved from the lookup table is XORed with the v1 value. This XOR operation updates v1 to a new value.
Figure 5: Staging folder name generation algorithm
We have observed SolarMarker using two different certificates for the initial payload:
Ameri Mode Inc. (Issuer: DigiCert)
SMART AC VIET NAM TM & DV JOINT STOCK COMPANY (Issuer: GlobalSign)
What did we do?
Our team of 24/7 SOC Cyber Analysts isolated the affected host, notified the customer of suspicious activities, and provided remediation support.
What can you learn from this TRU Positive?
By deploying additional components like StellarInjector and SolarPhantom, the attackers enhanced their capabilities for system compromise and data exfiltration.
SolarMarker utilizes search engine optimization (SEO) poisoning techniques to manipulate search engine results and boost the visibility of deceptive links.
The attackers' use of SEO tactics to direct users to malicious sites underscores the importance of being cautious about clicking on search engine results, even if they appear legitimate.
The incident emphasizes the danger of malicious websites impersonating well-known legitimate sites like Indeed. In this case, enterprise users appeared to be the preferred target given the keywords targeted and impersonation of the Indeed brand.
Users should also be vigilant and verify the authenticity of websites before downloading any files.
The use of legitimate certificates, such as those signed by DigiCert and GlobalSign, for the initial payload indicates the need to scrutinize digital certificates and the entities using them thoroughly.
The case highlights the critical need for continuous vigilance, threat intelligence, and proactive defense measures, including regular security updates and employee training to recognize and respond to potential threats.
Recommendations from our Threat Response Unit (TRU):
We recommend implementing the following controls to help secure your organization against SolarMarker:
Encourage your employees to use password managers instead of using the password storage feature provided by web browsers. Use master passwords where applicable.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
