SolarMarker was observed infecting users via a drive-by download after visiting a malicious site impersonating Indeed, leading to the deployment of StellarInjector and SolarPhantom. The campaign also includes AES-encrypted backdoors, SEO poisoning, and the use of legitimate certificates from DigiCert and GlobalSign. #SolarMarker #StellarInjector #SolarPhantom #Indeed #SEOpoisoning
Keypoints
- In April 2024, a SolarMarker infection occurred via a drive-by download after a Bing search redirected to a malicious site impersonating Indeed.
- The backdoor is now embedded in the file’s resource section and encrypted with AES, with fake error messages used during execution.
- The backdoor establishes C2 connections to two addresses: 2.58.15[.]118 and 146.70.80[.]83.
- StellarInjector payload is delivered to inject SolarPhantom into the SearchIndexer.exe process, enabling further capabilities.
- SolarPhantom provides information stealing and hidden VNC-like capabilities (hvNC).
- The campaign used legitimate certificates from DigiCert and GlobalSign for the initial payload, underscoring certificate misuse risks.
MITRE Techniques
- [T1189] Drive-by Compromise – Infection occurred via a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed. ‘The infection occurred through a drive-by download when a user, while searching for workplace team-building ideas on Bing, was directed to a malicious site impersonating the global employment website, Indeed.’
- [T1055] Process Injection – SolarPhantom injected into the SearchIndexer.exe process. ‘injecting SolarPhantom into SearchIndexer.exe process (Figure 4).’
- [T1027] Obfuscated/Compressed Files and Information – The backdoor in the resource section encrypted with AES. ‘the backdoor in the resource section (Figure 2) of the file encrypted with the AES encryption algorithm.’
- [T1105] Ingress Tool Transfer – Additional components (StellarInjector and SolarPhantom) were delivered to enable further compromise. ‘delivered the StellarInjector payload (MD5: 0440b3fbc030233b4e9c6748eba27e4d) that is responsible for injecting SolarPhantom’
- [T1036] Masquerading – The attack leveraged impersonation of a legitimate site (Indeed) to mislead users. ‘The incident emphasizes the danger of malicious websites impersonating well-known legitimate sites like Indeed.’
Indicators of Compromise
- [IP] 2.58.15.118 – backdoor C2 server
- [IP] 146.70.80.83 – backdoor C2 server
- [MD5] 0440b3fbc030233b4e9c6748eba27e4d – StellarInjector
- [MD5] 6bef5498c56691553dc95917ff103f5e – SolarPhantom
- [URL] https://github.com/esThreatIntelligence/iocs/blob/main/SolarMarker/iocs_5-31-2024.txt – Indicator of Compromise repository with IOCs