Blog

SolarMarker's Shift to PyInstaller Tactics

BY eSentire Threat Response Unit (TRU)

April 11, 2024 | 3 MINS READ

Attacks/Breaches

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

eSentire's Threat Research Unit (TRU) observed that SolarMarker malware campaigns are now utilizing PyInstaller to hide malicious PowerShell scripts, marking a shift from previous methods such as Inno Setup and PS2EXE.

This evolution underscores the adaptability of threat actors and the necessity for continuous vigilance. In response, our team of 24/7 SOC Cyber Analysts quickly isolated the affected device, preventing further compromise.

In this TRU Positive, we’re sharing a case study that highlights the download of a deceptive PDF from a fake Loma Linda University website, leading to the execution of SolarMarker backdoor.

The user downloaded a malicious file disguised as a PDF document from a website hosted by threat actors. This site, discovered through a search, masqueraded as Loma Linda University (Figure 1).

Figure 1: Malicious website hosting SolarMarker payload

Executing the initial payload (in our example, it’s named “ChildCareWaiverRequest.exe” (MD5: 02df78385af891a268212f6093b91154)) spawns another process in a suspended mode that is responsible for running the main compiled python file along with dependencies dropped under “C:\Users\username\AppData\Local\Temp\_MEI*” folder (Figure 2).

Figure 2: Process created in a suspended state

Upon decompiling the Python file, we notice the constants from the “Names” section, such as b64decode, subprocess, CREATE_NO_WINDOW, etc. This means that the code decodes base64-encoded strings, spawns a new process (powershell.exe), and executes the base64-decoded script within that process (Figure 3).

The CREATE_NO_WINDOW flag is typically used in conjunction with subprocesses to indicate that the window of the executed process should not be displayed.

Figure 3: Decompiled .pyc file

The first blob of the base64-encoded strings contains the decoy PDF file “~BH-04918471412496586.pdf” (MD5: 3ccb3a9ab45b0f6019c7fcefaea15e8f) shown in Figure 4.

Figure 4: Decoy PDF file

The second blob of base64-encoded strings contains the SolarMarker backdoor that is decrypted using AES (Advanced Encryption Standard) and invokes a method (ROlE12X1RL2rjeOl92VczRp7cwNevbFIEfbyldUMlfayIcoU_Pti8MiNdHKRKX1knWKh09K) from the dynamically loaded assembly (Figure 5).

Figure 5: The second blob containing the encrypted SolarMarkert backdoor payload within the decompiled Python file

The SolarMarker malware campaign cleverly combines PowerShell and Python to sneak past basic defenses. Yet, by maintaining oversight of the entire process from start to finish, we can still detect and neutralize these complex malware threats effectively.

What did we do?

Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the client of suspicious activities.

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU):

We recommend implementing the following controls to help secure your organization against SolarMarker malware:

Indicators of Compromise

You can access the indicators here.

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire