eSentire’s TRU reports a surge of SolarMarker infections across multiple industries since late 2023, with evolving payloads and anti-analysis techniques. The researchers detail the infection chain—from installer-based payloads to PowerShell-based decrypt-and-execute steps—and the emergence of second-stage payloads like infostealers and hVNC. #SolarMarker #Kaseya
Keypoints
- SolarMarker infections have significantly increased across various industries (insurance, manufacturing, software, construction, real estate, utilities, legal) since November 2023.
- The threat actor alternates between Inno Setup and PS2EXE to generate payloads, with PS2EXE variants modified by string replacements.
- A PowerShell script decrypts the payload using AES and then invokes specific class and method names after decryption.
- The decrypted payload has been updated to include extra junk instructions and junk byte arrays to hinder analysis.
- Infections lead to loading of second-stage payloads such as infostealers and hVNC, indicating a multi-stage infection chain.
- TRU recommendations emphasize phishing/security awareness training and the use of password managers with master passwords to reduce risk.
MITRE Techniques
- [T1059.001] PowerShell – The script extracted is a PowerShell payload that decrypts and executes code. Quote: “The PowerShell script extracted can be seen in Figure 3. This script is designed to write 0 bytes to the decoy PDF named “EULA.pdf,” causing an error when the infected machine tries to open the PDF file.”
- [T1027] Obfuscated/Encrypted Files and Information – The payload is encrypted with AES and modified with junk code to evade detection. Quote: “the payload within the script is encrypted using Advanced Encryption Standard (AES).” and “junk byte arrays are present.”
- [T1036.003] Masquerading – The actor alternates between Inno Setup and PS2EXE to generate payloads, suggesting masquerade as legitimate installers. Quote: “alternated between Inno Setup and PS2EXE tools to generate payloads.”
- [T1105] Ingress Tool Transfer – After infection, SolarMarker loads second-stage payloads (infostealers and hVNC), indicating download/placement of additional tools. Quote: “Upon successful infection, SolarMarker loads second-stage payloads including infostealers and hVNC.”
- [T1027] Obfuscated/Encrypted Files and Information – Additional obfuscation with junk instructions and junk byte arrays to slow analysis. Quote: “added more junk instructions (Figure 4), as can be seen in Figure 5 where junk byte arrays are present.”
Indicators of Compromise
- [IP Address] C2 servers – 78.135.73.165, 217.138.215.85, 146.70.145.242, 185.243.113.39
- [File Hash] Decrypted payload – 8eeefe0df0b057fc866b8d35625156de, and 1d99b085ff8994642129312556f66740da9b9c8a
- [File Name] Autodesk.exe, Warlord-Games.exe
- [RSA Key] RSAKeyValue – Modulus and Exponent shown in the payload header (example: Modulus r9ensa/…; Exponent AQAB)
- [Indicator] Indicator name in the table – 2018-IBC-Use-of-Fire-and-Smoke-Separations-2019-ICC-Annual with value b45c31679c2516b38c7ff8c395f1d11d
Read more: https://www.esentire.com/blog/the-oncoming-wave-of-solarmarker