Malicious Search SolarMarker Malware

The SOC analysts identified a drive-by download attack leveraging SolarMarker malware, where the attack targeted users searching for team-building activities on Bing. 

Attackers tricked the victim into downloading a seemingly harmless document by redirecting the user to a malicious website, impersonating the legitimate Indeed job search platform. 

EHA

However, this downloaded file was actually the SolarMarker payload, which, upon execution, deployed additional malicious components, StellarInjector and SolarPhantom, to compromise the system further.

 Infection chain

SolarMarker has changed its tactics, as previously, the backdoor was embedded directly in the code, and now, the malware embeds the backdoor in the resource section of an AES-encrypted file.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

Once executed, the initial payload displays a fake error message, and the backdoor connects to command and control (C2) servers at the IP addresses 2.58.15.118 and 146.70.80.83. 

 Fake error message

Threat actors delivered the StellarInjector payload (MD5: 0440b3fbc030233b4e9c6748eba27e4d) upon a successful backdoor server connection. 

This payload injects SolarPhantom (MD5: 6bef5498c56691553dc95917ff103f5e) into the SearchIndexer.exe process, enabling information stealing and hidden virtual network computing (hVNC) capabilities.

The backdoor configuration reveals that the target system is Windows 10 x86 and has limited privileges. 

Process tree

It targets Firefox browsing data, extracts the user’s profile path, and appends “saturn” and the location of the Firefox executable, which is likely used for further malicious actions. 

The malware then utilizes an RSA public key, represented by the provided `<Modulus>` and `<Exponent>` elements, for potential encryption or validation, which seems to stage stolen data within temporary folders named with 10-digit values. 

Staging folder name generation algorithm

Malware known for information theft utilizes a specific algorithm to generate folder names for the initial payload, which involves shifting the least significant byte of a v1 value by 8 bits and XORing it with a byte. 

The resulting index is then used to retrieve a value from a CRC32 lookup table and this retrieved value is XORed with the original v1 value, updating it for the next iteration. 

It’s interesting to note that for this initial payload, SolarMarker is using two different certificates from DigiCert and GlobalSign. 

eSentire’s Threat Response Unit (TRU) investigated a SolarMarker infection in April 2024, as the attack began with a drive-by download on a user searching for teambuilding ideas on Bing. 

It then deployed additional components, StellarInjector and SolarPhantom, for information theft and remote access.

The backdoor connected to servers at 2.58.15 [.]118 and 146.70.80 [.]83, which highlights the use of SEO poisoning, fake websites impersonating legitimate ones, and the need for user vigilance and security updates.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free