Lmst

#SolarMarker

#SolarMarker RAT
#Signed "Plus 5 XP Corporation"
#ImpostorCertificate

Decoy: Show('The code execution cannot proceed because MSVCR120.dll was not found. Reinstalling the program may fix this problem.'

C2: 68.233.238.123

More links in comment

VT: https://virustotal.com/gui/file/96512386ea92612cd3c09c377f6a62e1df7a940ce4e46ca5562d75a1017413c9/details

Triage: https://tria.ge/240603-xv6kjsge95/behavioral2

MB: https://bazaar.abuse.ch/sample/ba00fdc92ceaa66612cda52a770bda7961f8cee511e714b6db208583e9f40729/

Backdoor: https://bazaar.abuse.ch/sample/8b3e8a5415487bfb9d6dddaa5e3983ec364bd7754488e97501766dbdfdf39719/

Exploring the Depths of SolarMarker's Multi-tiered Infrastructure
#Solarmarker
https://www.recordedfuture.com/exploring-the-depths-of-solarmarkers-multi-tiered-infrastructure

Today we are releasing new research exploring #SolarMarker’s tactics and multi-tiered #infrastructure using various methods, including Network Intelligence.
https://www.recordedfuture.com/exploring-the-depths-of-solarmarkers-multi-tiered-infrastructure

It is common for malware to be signed with code signing certificates.

How is this possible? Impostors receive the cert directly and sign malware.

In this blog-post, we look at 100 certs used by #Solarmarker malware to learn more.

https://squiblydoo.blog/2024/05/13/impostor-certs/

#SolarMarker Infostealer
#Signed: "Table Ronde 1155 Inc."
This marks 100 Authenticode Certificates for SolarMarker. Watch for our blog-post looking back over these 100 certs. Image is a sneak peak.

Loader: https://www.virustotal.com/gui/file/6c59f4f268f1ce1d85cdf9169e81464bb950ec572ea1e3ab9cc4ff4a75589435
MB: https://bazaar.abuse.ch/sample/f857356716201ad76f53ff847644b230f54859c442f6f0ff35c2dc5ee2879374/

Backdoor: https://www.virustotal.com/gui/file/d1cc1eee8759fb31c6c45a8a690e1a977848655ae9bd6d8ce6ac3fcef80814b1/detection
https://bazaar.abuse.ch/sample/d1cc1eee8759fb31c6c45a8a690e1a977848655ae9bd6d8ce6ac3fcef80814b1/

eSentire described two incidents today:

a tax-themed threat delivering XWorm as the final payload, using phishing emails as initial infection vector. 🔗https://www.esentire.com/blog/dont-take-the-bait-the-xworm-tax-scam
SolarMarker malware campaigns are now utilizing PyInstaller to hide malicious PowerShell scripts 🔗 https://www.esentire.com/blog/solarmarkers-shift-to-pyinstaller-tactics

Attack chains, IOC and Yara rules provided.

#threatintel #IOC #Xworm #phishing #SolarMarker #PyInstaller

#SolarMarker #Infostealer is back.
Signed: "SLIM DOG SP Z O O"

Decoy + Backdoor
Today, the decoy is a 240pg graphic novel.

VT: https://virustotal.com/gui/file/fbef401c6a7ad24640f6b6583aa0d0fa02aa895c47ab08e68b0e6e312d1b42a5/details

MB: https://bazaar.abuse.ch/sample/f8b2a71a34172076cc65f15d14ed43099a1ddf0a294ffe34c6004ae430a10317/

Backdoor: https://bazaar.abuse.ch/sample/e675ada65b850344af62cee3d42e6f526b3f8acfb711d1144692aa7c95b1c367/

Triage: https://tria.ge/240305-wq4dysdc2y/behavioral2

#SolarMarker
#Signed #EV ТОВ "Оноп"

C2: 67.43.234.48
C2: 2.58.15.214
C2: 91.206.178.109

Triage: https://tria.ge/231217-v3sybageh4/behavioral1

VT: https://virustotal.com/gui/file/9dc4e8a0d45b04b1b4bc2df2a16aa37e5597624feed3b53a9c5ca2929a2fb6c3/

MB: https://bazaar.abuse.ch/sample/99af27441ed0cf1933b2d8a329d444b6ba243399f44d0babf4a0abba95e860c6/

Backdoor: https://bazaar.abuse.ch/sample/c657a0a83b60e8962a552753c3ae924772cf81a7f7100d06695432f4c117fe46/

First stage has recently changed. I may need a new blogpost. (My debloat tool doesn't work in this instance either.)

Low Detection #SolarMarker
#Signed #EV ТОВ "Софт Енжін юа"

C2: 146.70.71.135
C2: 91.206.178.109

Triage Analysis: https://tria.ge/231024-rhrb7sdd6z/behavioral1

VT: https://virustotal.com/gui/file/820eda2078723e7f1c09d0e6d3641ea822c2b36c981cb5bfa4e445733664c087/detection

MB: https://bazaar.abuse.ch/sample/70c2978f454bf649909371b631882baf3c9f3db525d342c9aed88fa0b334bf5e/

Backdoor: https://bazaar.abuse.ch/sample/79611ccdebf0fdafcf6844ea278314038ceda7b6f5c39ed7919cf6f7f2274c06/

#SolarMarker, what do you have against Ukraine?
-
Decoy PDF: US Assistance to Ukraine (unrelated lure), PowerShell loads backdoor
#Signed #EV ТОВ "Ветох"

C2: 146.70.145.224

VT: https://virustotal.com/gui/file/b55b93ec2e7b962840adfacb4e6007c620f6e7fc9a1289825b44b1376a5cc081

MB: https://bazaar.abuse.ch/sample/4d0f98d16ea2647123fa9014a0a0e30968d1c58c9735b077473d44a7632ec90c/

Backdoor: https://bazaar.abuse.ch/sample/4cc525e4fe09c6d8d5beb8afb5a3c6525b5a04e6a3db107920189bb1d4814d3a/
@th3_protoCOL

Low Detection #Solarmarker infostealer
#EV #SIGNED ТОВ "ТОРГОВИЙ ДІМ КБ СТІЛ"

C2: 78.135.73.148
C2: 185.236.203.159

Triage: https://tria.ge/230906-t5rycshg24/behavioral2
VT: https://www.virustotal.com/gui/file/e38b838995dfe3df7419264d3a02877fe8239e691b2bcd18b843afe8c7f9961e
MB: https://bazaar.abuse.ch/sample/99ec51581852b3e031c63c9c0f5138eaf86406a2e70e9d8dfe3ac540d19ef8ff/
Backdoor:
https://www.virustotal.com/gui/file/336c201cc3cedbb7cdf276a3137e6df7edc18b5deb6be1a79647c70e4a9fa61e
https://bazaar.abuse.ch/sample/336c201cc3cedbb7cdf276a3137e6df7edc18b5deb6be1a79647c70e4a9fa61e/

Low Detection #SolarMarker #Infostealer
#EV #SIGNED BAAAD KITTY LIMITED

Triage: https://tria.ge/230825-z8h3hseg97/behavioral2

C2: 146.70.125.68
C2: 46.30.188.221

VT: https://virustotal.com/gui/file/4f349e005eb9cebef10044b3f4aa181ea75cf9c107fb0683931397b2ea06a86d

MB: https://bazaar.abuse.ch/sample/825827fa914f10451d4cd390612ab16742e10601b51ca04c440569a66dc9fe46/

Backdoor:
https://virustotal.com/gui/file/aa376dab5cd54a8a191d13102a0d89d6771db7cb99e4ec341bc8bccd5e1b4107/detection
https://bazaar.abuse.ch/sample/aa376dab5cd54a8a191d13102a0d89d6771db7cb99e4ec341bc8bccd5e1b4107/

Low Detection #SolarMarker #Infostealer
#EV #SIGNED LAABAI LTD

This signing name was abused previously by SolarMarker, except it was under a different certificate provider. Most likely the impostor that registered it registered the same name with multiple certificate providers. (See my blog post on this type of behavior if it sounds unfamiliar to you: https://squiblydoo.blog/2023/05/12/certified-bad/)

C2: 146.70.40.228
C2: 212.237.217.133

VT: https://virustotal.com/gui/file/a0114420ff98f4f09df676527add4ccaaf4326b4bd0c87b153d1ea71adf50022/details

MB: https://bazaar.abuse.ch/sample/fd834695fc878b5ed5178dad86cf30130adf4a7ac88d5997f8eb7814ca41f211/

Backdoor: https://bazaar.abuse.ch/sample/b44f87ac8e73b8338f7f0c689f4782c7aff9ec9c569cd68b8c01c6b1ff65beb3/

newest #solarmarker infostealer malware:

https://www.virustotal.com/gui/file/250fe7be536bb8674dd7e0e7c4de2ca1e3311ed657181d950dda6590a3bded51/details

#SEOPoisoning -> Fake Sites -> download via diggiski[.]com

A solarmaker download site thats themed as the Internet Archive

Low detection #SolarMarker infostealer
C2: 91.206.178.106
C2: 193.29.56.179
Signed: "CHILL ANAESTHESIA LTD."

VT: 3/66 https://virustotal.com/gui/file/c6fda8a049ebd7872358acfa2505f226e931e0f71090c19412e7b6d0a1c6e129/detection

MB: https://bazaar.abuse.ch/sample/82600121c6678c2fc313d8e94031b65ac5ff0e0c1b5e0fac00410f222ca747ac

Backdoor: https://bazaar.abuse.ch/sample/511637bf26adb8ac42cec6f38da7cc25ceee118e4a5f09e61bfc39defbc97809/

Dug into the #solarmarker #infostealer the past two months and built out this infograph describing the attack chain. Major credit is due to @th3_protoCOL for Intel on this, and definitely read up on squibblydoo's blog post on the malware family as they describe the attack chain fantastically.
https://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/

I haven't shared our monthly insight here in awhile, so here it is! Red Canary's intel insight for July.

https://redcanary.com/blog/intelligence-insights-july-2023/

We saw #YellowCockatoo (aka #SolarMarker ) reappear in a big way. We also had an interesting wave of #Stealc activity, plus a phishing campaign delivering #3losh that then dropped #AsyncRAT