Security analysts recently uncovered a drive-by download attack involving SolarMarker malware. Users searching for team-building activities on Bing became targets, revealing the persistent threat posed by deceptive online tactics. The attackers cleverly redirected unsuspecting users to a malicious website mimicking the Indeed job search platform, leading to the download of the harmful SolarMarker payload.
SolarMarker, a type of information-stealing malware, was initially discovered in 2020. Designed to infiltrate systems and gather sensitive data, it typically spreads via malicious search engine optimization (SEO) tactics. Upon execution, it deploys various components to further compromise the target system. Launched by cybercriminals, SolarMarker is a persistent threat in the cyber landscape.
Redirection and Payload Deployment
In this specific attack, the malicious website posed as Indeed, a popular job search platform. When users attempted to download a document related to team-building, they unknowingly initiated the download of SolarMarker. Once executed, the initial payload displayed a fake error message and connected to command and control (C2) servers at specified IP addresses. This connection allowed the attackers to deploy additional components such as StellarInjector and SolarPhantom, escalating the threat to the infected systems.
The structure of the attack reveals significant changes in SolarMarker’s tactics. Previously, the backdoor was embedded directly in the code. The updated version now embeds the backdoor within the resource section of an AES-encrypted file. This modification suggests ongoing adaptations by attackers to evade detection and increase the malware’s effectiveness.
Details of Infection and Exploitation
Upon successful connection to the C2 servers, StellarInjector payload is delivered, which subsequently injects SolarPhantom into the SearchIndexer.exe process. This process enables information stealing and hidden virtual network computing (hVNC) capabilities. The malware specifically targets systems running Windows 10 x86 with limited privileges, indicating a focused approach by the threat actors.
The attack’s configuration reveals an intent to exploit browsing data, particularly from Firefox. It extracts the user’s profile path and manipulates it for further malicious actions. Utilizing an RSA public key, the malware stages stolen data within temporary folders named with 10-digit values. This methodical approach highlights the sophistication of the SolarMarker malware.
Additionally, SolarMarker employs an algorithm to generate folder names for the initial payload, involving specific byte and XOR operations. The use of certificates from DigiCert and GlobalSign underscores the lengths to which attackers go to legitimize their malicious files.
Comparing with past incidents, it’s evident that SolarMarker continues to evolve. Previous attacks similarly used SEO poisoning and fake websites to lure victims. The persistence of such tactics emphasizes the importance of user vigilance and the need for robust security measures. The eSentire Threat Response Unit (TRU) investigation in April 2024 confirmed the malware’s deployment through Bing searches, reinforcing the ongoing threat posed by SolarMarker.
One notable difference in this recent attack is the use of team-building activities as a lure, reflecting the attackers’ efforts to exploit timely and relevant search trends. This approach mirrors earlier tactics but with a novel twist, indicating the adaptability of adversaries in choosing effective bait.
The discovery of SolarMarker malware targeting Bing search users underscores the evolving nature of cyber threats. The attackers’ strategy of redirecting users to a fake Indeed website and deploying the payload through deceptive means highlights the need for continuous vigilance. As the malware’s tactics evolve, it is crucial for users and organizations to stay updated with the latest security measures and practices. Regular system updates, awareness training, and advanced threat detection can significantly mitigate the risks associated with such sophisticated cyber attacks.
