New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns

This post is also available in: 日本語 (Japanese)

Executive Summary

Recently, we've identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.

Some of SolarMarker’s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims’ web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.

The malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts.

This malware has been prevalent since September 2020 targeting U.S. organizations, and part of the infrastructure is still active as of 2022 in addition to a new infrastructure that attackers have recently deployed.

Here, we dive into the technical details of the newly identified SolarMarker activity – specifically, how this malware often changes and modifies its attack patterns. For example, the recent version demonstrated an evolution from Windows Portable Executables (EXE files) to working with Windows installer package files (MSI files). According to the evidence we have, this campaign is still in development and going back to using executables files (EXE) as it did in its earlier versions.

Palo Alto Networks customers received protections against the newly discovered campaigns through Cortex XDR and WildFire.

Infection Vector

SolarMarker is multi-stage malware. The attackers use obfuscated PowerShell scripts to deploy their attack and stay under the radar.

The primary infection vector of SolarMarker is SEO poisoning, which is an attack method in which threat actors create malicious websites packed with keywords and use search engine optimization techniques to make them show up prominently in search results.

Deployment of SolarMarker Infrastructure on a Victim Machine

The initial stage is an EXE file larger than 250MB (the large file size helps to avoid inspection by an automated sandbox or an AV engine). In this case, the file we analyzed was called setup.exe. based on the sample compilation date in February 2022, the demonstrated artifacts belong to a new development in the malware lifecycle.

This file is a .NET-compiled dropper that will drop and execute an installer of a legitimate program to avoid raising the user’s suspicion toward the downloaded binary.

In parallel, the malware runs a PowerShell loader in a new thread to load and execute the SolarMarker backdoor payload.

We can see the loaded script decoded by debugging the PowerShell invoke function.

Let's take a look at the script.

Main Sections of the PowerShell Script

• showWindowAsync makes PowerShell windows hidden to conceal malicious activity from the plain sight of users.
• Writes the encrypted base64 payload of the SolarMarker backdoor to file with random extension into the TEMP folder.
• Achieves persistence using the lnk file in the startup folder. The target file of the lnk is the encrypted base64 payload of the SolarMarker backdoor with the random extension. (This file cannot be run directly).
• In Windows environments, every file extension is associated with a default program. The associations of extensions with programs are handled through the registry. SolarMarker sets a handler to the custom random extension to run the encrypted payload. This handler is a PowerShell script that decrypts the payload and loads the bytes of the encrypted payload (backdoor) into memory.

The attacker avoids downloading the assembly to disk and subverts it using the ”Load” method, which accepts a byte array instead of a file. The loading technique is called Reflective Code Loading.

In the first execution of the malware on the victim machine, the encrypted payload (backdoor) will load into the first stage of the malware (setup.exe) because, as we mentioned earlier, setup.exe opened a new thread in which it ran the PowerShell script.

After the reboot, the encrypted payload will load directly into the PowerShell process due to the lnk file from the startup folder.

Encrypted Payload

We’ve so far mentioned the encrypted payload many times. What exactly is it?

We can make a small change to the PowerShell script of the attacker to save the assembly to disk rather than loading it directly into memory. In addition, this can help us understand the functionality of this version of SolarMarker.

We got a .NET-compiled Dynamic-Link Library (.DLL) that contains the core code of the SolarMarker backdoor with an embedded C2 client.

When looking at the decompiled code and the names of the classes and functions, we can see that they don't look right. Instead, they look like they are obfuscated.

After quickly running de4dot, we can see that it unpacked and deobfuscated:

SolarMarker Backdoor

The SolarMarker backdoor is a .NET C2 client that will communicate with the C2 server within the encrypted channel.

The protocol communication is HTTP – usually POST requests.

The data is encrypted using RSA encryption with Advanced Encryption Standard (AES) symmetric encryption.

The client performs internal reconnaissance, collects basic information about the victim machine and exfiltrates it over an existing C2 channel.

The client sends a signal to the attacker’s server to check for instructions or additional payloads at regular intervals (60 seconds).

The attacker can run a PowerShell script and transfer files to the victim machine.

The next stage is again a PowerShell encoded script that deploys the SolarMarker final payload (.NET Infostealer) and loads it into memory (this typically occurs about a few hours after the initial infection of the victim machine).

The attackers' servers and version names vary between the backdoor and infostealer modules.

SolarMarker Infostealer

In terms of its structure, the infostealer module looks very similar to the backdoor module we introduced earlier but has extended capabilities.

The SolarMarker infostealer module acquires login data, cookies and web data (auto-fill) from web browsers by reading files specific to the target browser. SolarMarker uses the API function CryptUnprotectData (DPAPI) to decrypt the credentials.

Key Changes Observed in the New Version of SolarMarker

Let's summarize the main changes seen in the new version of SolarMarker:

• Switches back to executables as the dropper instead of MSI.
• Increases the dropper files to larger volumes.
• The dropper files are always signed by a legitimate company.
• Modified the PowerShell loader script.
• In the first execution of the malware on the victim machine, the backdoor will load into the dropper process and not into the PowerShell process as in previous versions.

Conclusion

This blog post documents recent changes in SolarMarker behavior patterns. These updates appear to upgrade evasion abilities in an attempt to stay under the radar and demonstrate that SolarMarker continues to evolve.

In recent years, the security industry has come to realize the importance of behavior-based detectors to reduce the dwell time of threats inside their network.

Palo Alto WildFire Customers are protected from the SolarMarker malware.

Palo Alto Customers using Cortex XDR Prevent or Pro are protected from such campaigns in different layers, including over 30 Behavioral Threat Protection, BIOC, and Analytics BIOCs rules that identify the tactics and techniques that SolarMarker uses at different stages of its execution.

Most rules are not customized for SolarMarker and are based on unusual, rare behaviors – and therefore provide protection against many additional malware families and campaigns that use the same methods. On top of that, the Local Analysis Engine and WildFire integration provide additional layers of protection to Cortex customers.

Indicators of Compromise

Additional Resources

• The Introduction of the Jupyter Infostealer/Backdoor - Morphisec
• SolarMarker campaign used novel registry for persistence – SOPHOS
• Blocking SolarMarker Backdoor – CrowdStrike
• Threat Spotlight: Solarmarker – Cisco Talos
• New-jupyter-evasive-delivery-through-msi-installer – Morphisec
• Solarmarker In-Depth Analysis – Prodaft
• Malware Analysis (PowerShell to .NET) – John Hammond
• Yellow Cockatoo – Red Canary
• Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1) – Squiblydoo
• Mars-Deimos: From Jupiter to Mars and Back again (Part Two) – Squiblydoo