Table of Contents
In a second attack, a sophisticated known as Solarmaker is ready for the second go into the wild and will try to steal credentials once again.
What is Solarmaker Malware?
As far back as April 2020, telemetry data suggests malicious actions associated with the Solarmarker malware campaign, which has been active since September 2020.
Talos researchers Andrew Windsor and Chris Neal wrote in a technical write-up published last week that the Solarmarker campaign appears to be conducted primarily by a sophisticated actor focused on credential and residual information theft.
Infections often consist of multiple moving parts, including the deployment of components such as Jupyter and Uran (likely as a reference to Uranus), which may be used to transmit command-and-control (C2) communications.
It can access a victim’s Firefox or Google Chrome browser to steal personal information, credentials, and form submission values whereas a previously unknown payload act as a keylogger to track keystrokes.
There have also been multiple changes to the infection chain as well as the return of old tricks like SEO poisoning, which have contributed to the recent surge inactivity. It involves improper use of Search Engine Optimization (SEO) techniques to boost the visibility of malicious sites and dropper files in search engine results.
Solarmarker’s artifacts may have been designed in such a way to deceive TAC, although Talos suspects it may have been done intentionally.
Scientists concluded that the actor behind Solarmarker possesses moderate to advanced abilities. It takes substantial effort to maintain the interconnected, rotating infrastructure.” Clearly, substantial effort is needed to maintain the interconnected, rotating infrastructure.”
A key characteristic of the actor is ensuring the continuity of the campaign, such as updating encryption methods used for C2 communication in the Mars DLL, following the disassembly of previous components of the malware, alongside more typically used strategies such as changing the C2 infrastructure hosts