The SOC analysts recognized a drive-by download attack leveraging SolarMarker malware, where the attack targeted users exploring team-building movements on Bing.  Assaulters deceived the victim into downloading an apparently innocuous document by shifting the user to a nasty website and copying the honest Indeed job search medium.

Moreover,  this downloaded file was honestly the SolarMarker payload, which, upon implementation, deployed additional negative elements, StellarInjector and SolarPhantom, to compromise the system also.

SolarMarker has modified its tactics, as yet, the backdoor was injected immediately into the code, and now, the malware infiltrates the backdoor in the resource province of an AES-encrypted file. Once completed, the initial payload shows a phony blunder news and the backdoor links to command and control (C2) servers at the IP addresses 2.58.15.118 and 146.70.80.83.

Hazard actors gave the StellarInjector payload (MD5: 0440b3fbc030233b4e9c6748eba27e4d) upon a successful backdoor server link. This payload infiltrates SolarPhantom (MD5: 6bef5498c56691553dc95917ff103f5e) into the SearchIndexer.exe procedure, allowing data theft and hidden virtual network computing (hVNC) capabilities. The backdoor design shows that the target system is Windows 10 x86 and has restricted rights. 

It targets Firefox browsing data, removes the user’s profile way, and appends “Saturn” and the area of the Firefox executable, which is likely utilized for other negative activities. The malware then uses an RSA public key, defined by the supplied `<Modulus>` and `<Exponent>` essences, for possible encryption or guarantee, which appears to produce pinched data within temporary folders called with 10-digit deals. 

Malware understood for data stealing uses a precise algorithm to develop folder names for the initial payload, which affects moving the smallish effective byte of a v1 value by 8 bits and XORing it with a byte. The resultant index is then utilized to recover a value from a CRC32 lookup table and this recovered value is XORed with the initial v1 value, correcting it for the next iteration. It’s fascinating to note that for this initial payload, SolarMarker is utilizing two separate credentials from DigiCert and GlobalSign. 

eSentire’s Threat Response Unit (TRU) examined a SolarMarker disease in April 2024, as the attack started with a drive-by download on a user exploring team-building ideas on Bing. It then deployed additional features, StellarInjector and SolarPhantom, for data theft and remote access. The backdoor linked to servers at 2.58.15 [.]118 and 146.70.80 [.]83, which emphasizes the use of SEO poisoning, fake websites imitating legitimate ones, and the demand for user attention and safety updates.