Beware Of Malicious Search Results Leading To SolarMarker Malware Installation

The SOC analysts recognized a drive-by download attack leveraging SolarMarker malware, where the attack focused users looking out to search out group-building activities on Bing.

Attackers tricked the sufferer into downloading a apparently innocent doc by redirecting the user to a malicious web space, impersonating the legitimate Certainly job search platform.

However, this downloaded file became undoubtedly the SolarMarker payload, which, upon execution, deployed additional malicious parts, StellarInjector and SolarPhantom, to compromise the arrangement extra.

SolarMarker has modified its ways, as previously, the backdoor became embedded straight within the code, and now, the malware embeds the backdoor within the resource a part of an AES-encrypted file.

As soon as completed, the initial payload displays a unfaithful error message, and the backdoor connects to expose and succor a watch on (C2) servers on the IP addresses 2.58.15.118 and 146.70.80.83.

Likelihood actors delivered the StellarInjector payload (MD5: 0440b3fbc030233b4e9c6748eba27e4d) upon a successful backdoor server connection.

This payload injects SolarPhantom (MD5: 6bef5498c56691553dc95917ff103f5e) into the SearchIndexer.exe job, enabling data stealing and hidden virtual community computing (hVNC) capabilities.

The backdoor configuration unearths that the target arrangement is Home windows 10 x86 and has small privileges.

It targets Firefox having a question data, extracts the user’s profile direction, and appends “saturn” and the residing of the Firefox executable, which is doubtless frail for extra malicious actions.

The malware then makes use of an RSA public key, represented by the equipped `` and `` aspects, for doable encryption or validation, which appears to stage stolen data within transient folders named with 10-digit values.

Malware identified for data theft makes use of a particular algorithm to generate folder names for the initial payload, which entails transferring the least valuable byte of a v1 cost by 8 bits and XORing it with a byte.

The following index is then frail to retrieve a cost from a CRC32 search for desk and this retrieved cost is XORed with the real v1 cost, updating it for the next iteration.

It’s appealing to display conceal that for this initial payload, SolarMarker is the articulate of two different certificates from DigiCert and GlobalSign.

eSentire’s Likelihood Response Unit (TRU) investigated a SolarMarker an infection in April 2024, because the attack began with a drive-by download on a user looking out to search out teambuilding solutions on Bing.

It then deployed additional parts, StellarInjector and SolarPhantom, for data theft and a ways flung glean valid of entry to.

The backdoor connected to servers at 2.58.15 [.]118 and 146.70.80 [.]83, which highlights the articulate of online page positioning poisoning, unfaithful web pages impersonating legitimate ones, and the need for user vigilance and security updates.