Researchers Spot New Malware Campaign Pushing Solarmarker
Security researchers with Cisco Talos have spotted and examined a new malicious campaign using the Solarmarker malware. According to the research, the new campaign is run by skilled and sophisticated threat actors.
Solarmarker is a multi-purpose malicious tool that has RAT, backdoor, infostealer and keylogger functionality. It has not been used in a larger, orchestrated campaign in the last few months, which prompted Cisco to focus more closely on this latest push.
Picking apart the keylogger component of Solarmarker in this specific campaign revealed that it was very likely focused on European victims, as the tool only works with and understands strings in English, German and Russian.
The bad actors behind the current campaign are not particularly picky about their targets, however. ZDNet quoted the Cisco report, outlining the Solarmarker campaign is targeting governmental, healthcare and educational institutions, seemingly with no specific patter.
Researchers working with Microsoft also noted that it appears the bad actors are using some sort of SEO poisoning. The purpose of this technique is to improve the visibility of the malware's dropper in various search engine result pages.
Interestingly, that previous campaign when SEO poisoning was spotted for the first time with Solarmarker was mostly aimed at victims in the US.
Infosec is warning that the current version of Solarmarker being used can steal not only information entered in a browser form by company employees but also scrape login credentials that could lead to network-wide compromise.
Solarmarker uses a DLL module nicknamed Jupyter which is used to exfiltrate personal information, login credentials and form fill data from both Chrome and Firefox.
The malware's dropper is primarily distributed through infected and fake pages on free download websites. As with a lot of other malware, the best way to steer clear of Solarmarker is to steer clear of any and all suspicious downloads.