Educational and medical institutions have fallen victim to a new malicious credential theft campaign. During attacks, criminals infect victims’ systems with a .NET info-stealer and keylogger.
According to Cisco Talos, the malicious campaign dubbed Solarmarker began back in September 2020. The infection begins with the installation of the .NET-based Mars assembly module, which serves as a system profiler and intermediate link for the C&C server. Further malicious actions include installing info-stealer components called Jupyter and Uran.
The first component has the functionality to steal personal data, credentials, and form submission values from Mozilla Firefox and Google Chrome browsers. The second component acts as a keylogger to intercept the user’s keystrokes.
During the current campaign, criminals have resorted to so-called “SEO poisoning” (SEO poisoning). This technique involves using search engine optimization mechanisms to draw more attention to malicious sites or to make uploader files more visible in search results. Hackers use thousands of PDFs filled with SEO keywords and links.
Previously, Solarmarker samples were downloaded from a page with the generic title “PdfDocDownloadsPanel”. During the current campaign, Solarmarker operators have put in extra effort to make the last download page more believable and different from previous versions. The download page is now disguised as a Google Drive download file request.
The most frequent targets of attacks were organizations in the health care, education and municipal authorities. The attacks targeted a small group of manufacturing organizations, as well as several individual religious organizations, financial services and construction companies. According to experts, criminals do not target any specific industries.
Static and dynamic analysis of Solarmarker artefacts carried out by experts indicates that the hacker group may be Russian-speaking. However, experts suspect that the creators of the malware may have deliberately designed it in this way in order to mislead information security experts.
Catch up on more articles here
Follow us on Twitter here