Beware of Malicious Search Results Leading to SolarMarker Malware Installation

Attackers combined StellarInjector and SolarPhantom for improved system compromise and data exfiltration. SolarMarker manipulated search results via SEO poisoning to push deceptive links targeting Indeed impersonation. 

The incident highlights the dangers of clicking on seemingly legitimate search results and emphasizes the need for user vigilance in verifying website authenticity before downloading. 

The use of legitimate certificates by attackers underscores the importance of thorough digital certificate scrutiny, which stresses the necessity for continuous vigilance, threat intelligence, security updates, and employee training to effectively counter such attacks. 

Infection chain

A user searching for team-building ideas on Bing was redirected to a malicious site disguised as Indeed, which tricked the user into downloading a file containing the SolarMarker backdoor, hidden within the encrypted resource section of the file. 

Upon executing the downloaded file, a fake error message was displayed, which highlights SolarMarker’s evolving tactics, where the backdoor is no longer embedded directly in the code but resides within the resource section after download. 

Embedded SolarMarker backdoor in the resource section

An attacker compromised a system using a backdoor that connects to servers at 2.58.15.118 and 146.70.80.83. Upon successful connection, the backdoor downloaded and injected the StellarInjector payload (MD5: 0440b3fbc030233b4e9c6748eba27e4d), which then injected SolarPhantom (MD5: 6bef5498c56691553dc95917ff103f5e) into the SearchIndexer.exe process. 

SolarPhantom can steal information and establish hidden virtual network connections. The backdoor configuration reveals the compromised system is a Windows 10 x86 machine with an unknown hostname and workgroup. 

Process tree

According to eSentire’s Threat Response Unit (TRU), in order to store browsing data, it makes use of a folder within the user’s temporary directory that is given a name that contains a ten-digit value. 

The filename generation involves XORing a byte retrieved from a path that includes the user’s browser profile and Firefox executable location with the least significant byte of a shifted v1 value. 

A value is then retrieved from a CRC32 table by using the index, and the value that is retrieved is then XORed with v1 in order to update it for the subsequent byte. During the initial payload delivery, two certificates, one issued by DigiCert and the other by GlobalSign, were examined.  

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here