eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
eSentire's Threat Research Unit (TRU) observed that SolarMarker malware campaigns are now utilizing PyInstaller to hide malicious PowerShell scripts, marking a shift from previous methods such as Inno Setup and PS2EXE.
This evolution underscores the adaptability of threat actors and the necessity for continuous vigilance. In response, our team of 24/7 SOC Cyber Analysts quickly isolated the affected device, preventing further compromise.
In this TRU Positive, we’re sharing a case study that highlights the download of a deceptive PDF from a fake Loma Linda University website, leading to the execution of SolarMarker backdoor.
The user downloaded a malicious file disguised as a PDF document from a website hosted by threat actors. This site, discovered through a search, masqueraded as Loma Linda University (Figure 1).
Executing the initial payload (in our example, it’s named “ChildCareWaiverRequest.exe” (MD5: 02df78385af891a268212f6093b91154)) spawns another process in a suspended mode that is responsible for running the main compiled python file along with dependencies dropped under “C:\Users\username\AppData\Local\Temp\_MEI*” folder (Figure 2).
Figure 2: Process created in a suspended state
Upon decompiling the Python file, we notice the constants from the “Names” section, such as b64decode, subprocess, CREATE_NO_WINDOW, etc. This means that the code decodes base64-encoded strings, spawns a new process (powershell.exe), and executes the base64-decoded script within that process (Figure 3).
The CREATE_NO_WINDOW flag is typically used in conjunction with subprocesses to indicate that the window of the executed process should not be displayed.
Figure 3: Decompiled .pyc file
The first blob of the base64-encoded strings contains the decoy PDF file “~BH-04918471412496586.pdf” (MD5: 3ccb3a9ab45b0f6019c7fcefaea15e8f) shown in Figure 4.
Figure 4: Decoy PDF file
The second blob of base64-encoded strings contains the SolarMarker backdoor that is decrypted using AES (Advanced Encryption Standard) and invokes a method (ROlE12X1RL2rjeOl92VczRp7cwNevbFIEfbyldUMlfayIcoU_Pti8MiNdHKRKX1knWKh09K) from the dynamically loaded assembly (Figure 5).
Figure 5: The second blob containing the encrypted SolarMarkert backdoor payload within the decompiled Python file
The SolarMarker malware campaign cleverly combines PowerShell and Python to sneak past basic defenses. Yet, by maintaining oversight of the entire process from start to finish, we can still detect and neutralize these complex malware threats effectively.
What did we do?
Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the client of suspicious activities.
What can you learn from this TRU Positive?
The SolarMarker malware campaign's shift from using Inno Setup and PS2EXE to PyInstaller for concealing first-stage PowerShell scripts illustrates the threat actors' adaptability and response to detections that exist for SolarMarker.
This underscores the need for continuous monitoring and updating of security protocols to counter new distribution methods.
The malicious file, disguised as a legitimate PDF document and distributed via a website mimicking Loma Linda University, demonstrates the sophisticated social engineering tactics employed.
This highlights the importance of educating users about the risks of downloading files from unverified sources.
Decompiling the Python file reveals the use of base64 decoding, subprocess spawning, and the CREATE_NO_WINDOW flag to execute PowerShell scripts.
This information underscores the importance of having the capability to decompile and analyze malware components.
Recommendations from our Threat Response Unit (TRU):
We recommend implementing the following controls to help secure your organization against SolarMarker malware:
Encourage your employees to use password managers instead of using the password storage feature provided by web browsers. Use master passwords where applicable.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
