Threat Research

SolarMarker Malware Activity

Securonix

eSentire has observed a significant rise in SolarMarker infections delivered via drive-by download attacks that rely on social engineering to persuade users to execute malware disguised as document templates. SolarMarker is a modular information-stealing malware with observed indicators of compromise including hosting sites and command-and-control IP addresses. #SolarMarker #DriveByDownload

Keypoints

  • Drive-by download attacks deliver SolarMarker via malicious web pages luring users with document template-themed tricks.
  • Infection relies on social engineering and careful page design to persuade users to run the payload.
  • Payloads can be disguised as PDFs/Word documents or delivered as MSI/EXE files, complicating detection.
  • Observed IoCs include hosting domains, multiple C2 IP addresses, and several file hashes associated with SolarMarker.
  • eSentire’s MDR for Endpoint detects the threat, with C2 addresses added to the block list and ongoing tracking for detection opportunities.
  • Recommended defenses include user awareness training, preserving file extensions, and endpoint protection (NGAV/EDR) to detect and contain threats.

MITRE Techniques

  • [T1189] Drive-by Compromise – drive-by download attacks used to deliver malware via malicious web pages accessed through search results. Quote: “Victims are lured to malicious web pages via search engine results, often for document templates. … they are presented with the option to download a PDF or Word version of the document they are seeking. Instead of a document, they are presented with a malicious executable (.exe) or Microsoft Installer (.msi) file.”
  • [T1204.002] User Execution: Malicious File – user interaction leads to execution of a malicious payload. Quote: “Upon clicking on a search result, the user is presented with the option to download a PDF or Word version of the document they are seeking. Instead of a document, they are presented with a malicious executable (.exe) or Microsoft Installer (.msi) file.”
  • [T1036] Masquerade – malicious files masquerade as legitimate documents (misleading file types). Quote: “SolarMarker appears in file explorer as a PDF (note the ‘type’ field indicates it is an application).”
  • [T1071.001] Web Protocols – use of C2 IP addresses to communicate with command-and-control servers. Quote: “SolarMarker Command-and-Control IP Addresses”

Indicators of Compromise

  • [Domain] Payload hosting – partnerinsignia.site, pdfdocdownloadspanel.site
  • [IP] SolarMarker Command-and-Control IP Addresses – 146.70.24.173, 167.88.15.115, and 7 more IPs
  • [Hash] Payload file hashes – 03346A959C12EC00BF849A985A297ACE, 0491CD2715E86E3D4B04F34A0DB03EF1, and 5 more hashes

Read more: https://www.esentire.com/security-advisories/solarmarker-malware-activity

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint