Attackers combined StellarInjector and SolarPhantom for improved system compromise and data exfiltration. SolarMarker manipulated search results via SEO poisoning to push deceptive links targeting Indeed impersonation.
The incident highlights the dangers of clicking on seemingly legitimate search results and emphasizes the need for user vigilance in verifying website authenticity before downloading.
The use of legitimate certificates by attackers underscores the importance of thorough digital certificate scrutiny, which stresses the necessity for continuous vigilance, threat intelligence, security updates, and employee training to effectively counter such attacks.
A user searching for team-building ideas on Bing was redirected to a malicious site disguised as Indeed, which tricked the user into downloading a file containing the SolarMarker backdoor, hidden within the encrypted resource section of the file.
Upon executing the downloaded file, a fake error message was displayed, which highlights SolarMarker’s evolving tactics, where the backdoor is no longer embedded directly in the code but resides within the resource section after download.
An attacker compromised a system using a backdoor that connects to servers at 2.58.15.118 and 146.70.80.83. Upon successful connection, the backdoor downloaded and injected the StellarInjector payload (MD5: 0440b3fbc030233b4e9c6748eba27e4d), which then injected SolarPhantom (MD5: 6bef5498c56691553dc95917ff103f5e) into the SearchIndexer.exe process.
SolarPhantom can steal information and establish hidden virtual network connections. The backdoor configuration reveals the compromised system is a Windows 10 x86 machine with an unknown hostname and workgroup.
According to eSentire’s Threat Response Unit (TRU), in order to store browsing data, it makes use of a folder within the user’s temporary directory that is given a name that contains a ten-digit value.
The filename generation involves XORing a byte retrieved from a path that includes the user’s browser profile and Firefox executable location with the least significant byte of a shifted v1 value.
A value is then retrieved from a CRC32 table by using the index, and the value that is retrieved is then XORed with v1 in order to update it for the subsequent byte. During the initial payload delivery, two certificates, one issued by DigiCert and the other by GlobalSign, were examined.
Also Read: