Threat Research

SolarMarker campaign used novel registry changes to establish persistence

Securonix

SolarMarker is a .NET information stealer and backdoor distributed via novel MSI installers and PowerShell-based deployment. SophosLabs describes how the campaign used SEO poisoning, deceptive web pages, and a multi-stage redirect and persistence technique to load the backdoor. #SolarMarker #Polazert

Keypoints

  • SolarMarker (also known as Jupyter or Polazert) is a .NET information stealer and backdoor historically delivered by a PowerShell-based installer.
  • From Oct 2021, campaigns combined SEO targeting with custom MSI installers to deliver the payload and establish persistence via registry changes and a startup shortcut.
  • SEO methods included Google Groups discussions, deceptive pages, and PDFs hosted on compromised sites to drive downloads and lure clicks.
  • The MSI installer executes a decoy installer while launching a PowerShell script that modifies the registry and places a startup LNK to load an encrypted payload from a smoke-screen of junk files.
  • A “smoke screen” of 100–300 random files and a unique random extension hides the actual payload, with a custom file-type handler that decrypts and loads the backdoor reflectively.
  • Redirection infrastructure uses many .site domains with 302 redirects, ultimately delivering the MSI and then the backdoor to the target system.

MITRE Techniques

  • [T1059.001] PowerShell – The MSI installer launches a PowerShell script to install the malware. “…launching a PowerShell script that installed the malware.”
  • [T1620] Reflective Code Loading – The reflectively loaded payload is the Solarmarker backdoor.
  • [T1112] Modify Registry – The PowerShell script modified the Windows registry and dropped a .lnk file into Windows’ startup directory to establish persistence. “The PowerShell script modified the Windows registry and dropped a .lnk file into Windows’ startup directory to establish persistence.”
  • [T1547.001] Boot or Logon Autostart Execution – The startup LNK in Windows startup directory establishes persistence. “dropped a .lnk file into Windows’ startup directory to establish persistence.”
  • [T1036] Masquerading – The installer uses a decoy and names that mirror targeted terms; the decoy is a legit Wondershare PDFelement installer. “The decoy is a legit installer for Wondershare PDFelement.”
  • [T1071.001] Web Protocols – C2 communications occur over HTTP/S with multiple server variants. “The backdoor calls back to the C2 server with a JSON message to C2 server…”
  • [T1027] Obfuscated/Compressed Files and Information – The payload is encoded/encrypted (base64 and XOR/RSA) and loaded by a custom handler. “The data sent to the C2 server was encrypted using a XOR algorithm… RSA encryption.”

Indicators of Compromise

  • [IP] C2 infrastructure – 45.146.165.221, 91.241.19.110, and 14 more addresses
  • [Domain] Redirector and staging domains – triplegnuise.site, passesleeson.site, and 2 more domains
  • [File] Installer and decoys – good-choice-bad-choice-worksheet-for-kids.msi, dist-x86.exe

Read more: https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/