eSentire’s TRU analyzes SolarMarker (aka Jupyter), a .NET-based backdoor campaign that infects users via compromised WordPress sites and loads staged payloads through PowerShell, culminating in a Delphi-based hVNC backdoor named SolarPhantom with data exfiltration capabilities. The campaigns show evolving decryption and obfuscation techniques, new hosting practices (including actors running their own landing pages), and multiple versions (JN-2, JN-10, M-VII) across various sectors.
#SolarMarker #Jupyter #StellarInjector #SolarPhantom #BookBaby #Arcadis
#SolarMarker #Jupyter #StellarInjector #SolarPhantom #BookBaby #Arcadis
Keypoints
- SolarMarker uses process injection to run the hVNC and data staging payload.
- The actors behind SolarMarker primarily utilize .NET for payloads, with the hVNC backdoor implemented in Delphi.
- The initial infection triggers numerous PowerShell processes, creating a highly noticeable activity pattern.
- Threat actors began hosting their own landing pages, moving away from third-party hosting.
- Observed versions deployed include JN-2, JN-10, and M-VII.
- The campaign targets healthcare, power/utilities, transportation, legal, software, and finance sectors, among others.
MITRE Techniques
- [T1189] Drive-by Compromise – SolarMarker is delivered via malicious websites hosting the payload disguised as a document file (PDF, DOC, XLS, PPT). – SolarMarker is delivered via malicious websites hosting the payload disguised as a document file (PDF, DOC, XLS, PPT).
- [T1204.002] Malicious File – The user launches the malicious file. – The user launches the malicious file.
- [T1059.001] Command and Scripting Interpreter: PowerShell – SolarMarker uses PowerShell to load the payload in memory and retrieve additional payloads from C2. – “SolarMarker utilizes PowerShell to load the payload in memory as well as to retrieve additional payloads from C2”.
- [T1055.012] Process Hollowing – Process hollowing is used with ZwUnmapViewOfSection and memory/resume techniques (VirtualAllocEx, SetThreadContext, WriteProcessMemory). – “the process hollowing. This technique utilizes APIs like ZwUnmapViewOfSection to unmap the process and subsequently resumes execution by utilizing VirtualAllocEx, SetThreadContext, and WriteProcessMemory.”
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence is achieved via the Startup folder. – “Persistence is achieved via the startup folder”.
- [T1074] Data Staged – SolarMarker performs data staging of sensitive files from browsers, including credentials, cookies and sends them over to C2. – “SolarMarker performs data staging of sensitive files from browsers, including credentials, cookies and sends them over to C2”.
- [T1036] Masquerading – The threat actors use landing pages that resemble legitimate companies (BookBaby, Arcadis). – “landing pages resemble other legitimate companies… BookBaby and Arcadis clones”.
- [T1555.003] Credentials in Web Browsers – Browser-stored credentials and data are exfiltrated during data staging. – “Credentials from Web Browsers”.
- [T1041] Exfiltration Over C2 Channel – Stolen data is uploaded to the C2 server. – “uploading the stolen data to the C2 server”.
- [T1140] Deobfuscate/Decode Files or Information – The payload undergoes decoding/decrypting steps (Base64, XOR/AES) to reveal the second-stage payload. – “Base64-encoded payload”, “XOR” and “AES” decryptions are described throughout the stages.
Indicators of Compromise
- [Hash] SolarPhantom – backdoor payload hash values – 55419e51ef8a0521f5d7075dbec7bc33, f5321b32e719e876feae3b5e4a875377
- [Hash] SolarPhantom – additional backdoor hash – 23807082358d736404cfa935fe7c65b5
- [IP] C2 servers – 146.70.86.142, 146.70.169.170, and 23.29.115.186
- [Hash] First stage payload – 3fd9d81c06743c2eaffce6995ff1e46c
- [Hash] StellarInjector – third-stage payload – ca229e08ac6a0ace70d2224ea6c5d416
Read more: https://www.esentire.com/blog/solarmarker-to-jupyter-and-back