Blog

The Oncoming Wave of SolarMarker

BY eSentire Threat Response Unit (TRU)

February 7, 2024 | 3 MINS READ

Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?

TALK TO AN EXPERT

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

Since November 2023, the eSentire Threat Response Unit (TRU) have observed a significant increase in SolarMarker infections across the clients within the insurance, manufacturing, software, construction, real estate, utilities, and legal industries.

eSentire TRU has tracked SolarMarker since 2021. In recent cases, SolarMarker's threat actor has alternated between Inno Setup and PS2EXE tools to generate payloads. Additionally, payloads generated using PS2EXE were modified using several string replacements on the file, seen in Figures 1 and 2.

Figure 1: Unmodified executable generated by PS2EXE
Figure 2: Modified executable generated by PS2EXE

The PowerShell script extracted can be seen in Figure 3. This script is designed to write 0 bytes to the decoy PDF named “EULA.pdf,” causing an error when the infected machine tries to open the PDF file. The payload within the script is encrypted using Advanced Encryption Standard (AES). After successfully decrypting the payload, the script will invoke specific class and method names.

Figure 3: Extracted PowerShell script

SolarMarker’s decrypted payload has changed slightly from the one we described in our previous blog. With the recent payloads, the threat actor added more junk instructions (Figure 4), as can be seen in Figure 5 where junk byte arrays are present.

Figure 4: Junk code
Figure 5: Junk byte arrays

The string encryption method still remains the same as described in the previous blog.

Upon successful infection, SolarMarker loads second-stage payloads including infostealers and hVNC.

What did we do?

Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the customer of suspicious activities.

Detection Rules

You can access Yara rules for SolarMarker here.

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU):

We recommend implementing the following controls to help secure your organization against SolarMarker malware:

eSentire TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.  

To learn what it means to have an elite team of Threat Hunters and researchers that works for you, connect with an eSentire Security Specialist now. 

Indicators of Compromise

<RSAKeyValue><Modulus>r9ensa/OHF27irVbIoStwHshi0DXxyt4ATicvgCykFs15FcuHFKlzd2K1Z5wAh9bNCRP1nBpAJvgHDMWxHZ9pnYbnKsrP/i0sXcxkMlcYxmzb7ePWT64LVVaV9Zw+e5L4AkrSKSvlb1PfKUQuksT7osEWaQXCX3T0cbNjIuFsYQGoTVtMdQXu0xVd4AXo1yv2VKieGlsCSiuXxd4RN4EshDH5dZR5QJ71GrFuWZoDRaDNMXAq71MInInlXWA2tf75ROvLr1kT863Mk+VmdCFO75bmVq6D+WRwS7T0qyfrth+PClPEbFKmO3IXcAMD1GW77upEWA9bHU4nL93yzMPwQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>

Version:"DE-4".

Digital Signatures used in the payloads we have seen:

Name

Indicators

2018-IBC-Use-of-Fire-and-Smoke-Separations-2019-ICC-Annual

b45c31679c2516b38c7ff8c395f1d11d

C2

78.135.73[.]165

C2

217.138.215[.]85

C2

146.70.145[.]242

C2

185.243.113[.]39

Decrypted payload

8eeefe0df0b057fc866b8d35625156de

AutoCAD-Electrical-Quick-Reference-Guide--Autodesk.exe

1d99b085ff8994642129312556f66740da9b9c8a

PLAYsheet--Warlord-Games.exe

67c01d8c01fcac56007230dce48f3cb3184c8321899f31be34a1a280582fa3eb

USER-ACCEPTANCE-TESTING-TEST-CASE-TEMPLATE--Smartsheet.exe

a24bc1178a53b6afb67d802a2adb2ab48a9f203e9c6da756323a3178b0b6d02c

References

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire