Cybersecurity researchers recently detected new activities related to a highly modular backdoor and keylogger. Called Solarmarker, the threat has a multistage, heavily obfuscated PowerShell loader that executes the .NET backdoor.
Solarmarker Backdoor Technical Details
Solarmarker activities were observed independently by researchers at Crowdstrike and Cisco Talos. Both companies detected Solarmarker last year, in October and September, respectively. However, Talos says that some DNS telemetry data even points back to April 2020. This is when the researchers discovered three primary DLL components and multiple variants presenting similar behavior.
“The staging component of Solarmarker serves as the central execution hub, facilitating initial communications with the C2 servers and enabling other malicious modules to be dropped onto the victim host. Within our observed data, the stager is deployed as a .NET assembly named “d” and a single executing class named “m” (referred to jointly in this analysis as “d.m”),” Cisco Talos says.
As a next step, the malware extracts several files to the “AppData\Local\Temp” directory on execution, including a TMP file with the same name as the original downloaded file, and a PowerShell script file (PS1), which initiates the rest of the execution chain.
“The TMP file executing process issues a PowerShell command that loads the content of the dropped PS1 script and runs it before deleting the loaded file. The resulting binary blob is then decoded by XORing its byte array with a hardcoded key and injected into memory through reflective assembly loading. The “run” method of the contained module “d.m” is then called to complete the initial infection,” according to Talos’s technical description.
In a typical attack, a stager will be injected on the victim’s machine for command-and-control communications. Then, a second component, known as Jupyter, is injected by the stager. Jupyter, a DLL module, can steal personal various types of personal details, including credentials and form submissions from browsers such as Firefox and Chrome and user directories.
“The Jupyter information stealer is Solarmarker’s second most-dropped module. During the execution of many of the Solarmarker samples, we observed the C2 sending an additional PS1 payload to the victim host,” according to Cisco Talos.
“Solarmarker’s ongoing campaign and associated family of malware are concerning. It was initially able to operate and evolve over a significant amount of time while remaining relatively undetected,” the researchers note in conclusion. They also expect to see further action and development from Solarmarker’s authors who are likely to include new tactics and procedures to the malware.