eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
Since November 2023, the eSentire Threat Response Unit (TRU) have observed a significant increase in SolarMarker infections across the clients within the insurance, manufacturing, software, construction, real estate, utilities, and legal industries.
eSentire TRU has tracked SolarMarker since 2021. In recent cases, SolarMarker's threat actor has alternated between Inno Setup and PS2EXE
tools to generate payloads. Additionally, payloads generated using PS2EXE were modified using several string replacements on the file, seen in Figures 1 and 2.
Figure 1: Unmodified executable generated by PS2EXEFigure 2: Modified executable generated by PS2EXE
The PowerShell script extracted can be seen in Figure 3. This script is designed to write 0 bytes to the decoy PDF named “EULA.pdf,” causing an error when the infected machine tries to open the PDF file. The payload within the script is encrypted using Advanced Encryption Standard (AES). After successfully decrypting the payload, the script will invoke specific class and method names.
Figure 3: Extracted PowerShell script
SolarMarker’s decrypted payload has changed slightly from the one we described in our previous blog. With the recent payloads, the threat actor added more junk instructions (Figure 4), as can be seen in Figure 5 where junk byte arrays are present.
Figure 4: Junk codeFigure 5: Junk byte arrays
The string encryption method still remains the same as described in the previous blog.
Upon successful infection, SolarMarker loads second-stage payloads including infostealers and hVNC.
What did we do?
Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the customer of suspicious activities.
SolarMarker's significant increase in infections across various industries, including insurance, manufacturing, software, and others, demonstrates its wide-reaching impact. This indicates a need for cross-industry awareness and preparedness against such threats.
The SolarMarker threat actor's alternating use of Inno Setup and PS2EXE tools, along with slight modifications to the executables, reflects their evolving tactics. This highlights the importance of staying updated on threat actor methodologies for better cybersecurity defenses.
The consistency of the string encryption method used by SolarMarker over time suggests a pattern that can be leveraged for detection. Understanding these encryption techniques can aid in developing more robust security measures.
The loading of second-stage payloads like infostealers and hVNC upon successful infection with SolarMarker underscores the multi-layered approach in modern malware. Recognizing such strategies is crucial for comprehensive threat mitigation.
The addition of junk instructions and byte arrays in recent payloads indicates an increasing effort by attackers to evade detection and slow down the analysis process. This emphasizes the need for dynamic and adaptable detection mechanisms in cybersecurity tools.
Recommendations from our Threat Response Unit (TRU):
We recommend implementing the following controls to help secure your organization against SolarMarker malware:
Encourage your employees to use password managers instead of using the password storage feature provided by web browsers. Use master passwords where applicable.
eSentire TRU is a world-class team of threat researchers who develop new detections enriched by original threat intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to advanced threats.
To learn what it means to have an elite team of Threat Hunters and researchers that works for you, connect
with an eSentire Security Specialist now.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
