SolarMarker, an information-stealing malware

May 22 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s always fishing, never phishing 🎣🎣🎣

Today’s hottest cybersecurity news stories:

  • β˜€οΈ SolarMarker malware returns thanks to multi-tiered infrastructure 🌐

  • 🌧️ Every cloud… CLOUD#REVERSER targets Google Drive, Dropbox 🎯

  • πŸ–₯️ GitHub Enterprise Server (GHES) flaw allows authentication bypass πŸ”“

They’d been working tierlessly 😬, up until now πŸ’€

🚨 SolarMarker: A Stealthy Cyber Threat πŸ›‘οΈ

SolarMarker, an information-stealing malware, has built a complex, multi-tiered infrastructure to evade law enforcement takedowns, according to Recorded Future.

Adaptable and Evolving πŸ’»

SolarMarker's layered infrastructure includes two clusters: a primary one for active operations and a secondary one for testing new strategies. This setup makes it hard to eliminate.

Target Sectors 🎯

Active since September 2020, SolarMarker targets sectors like education, government, healthcare, hospitality, and SMEs. Key victims include universities, government departments, and global hotel chains, mostly in the U.S.

Stealth Techniques πŸ•΅οΈ

The malware has evolved to become more stealthy, using larger payloads, valid Authenticode certificates, and novel Windows Registry changes. It runs from memory, avoiding disk detection.

Infection Methods πŸ’‰

Infection usually occurs through bogus downloader sites or malicious emails. Initial droppers are EXE and MSI files that deploy a .NET-based backdoor, which then downloads additional payloads for data theft.

New Variants & Techniques πŸ”„

Recent variants use Inno Setup, PS2EXE tools, and a new PyInstaller version, sometimes hidden in decoy files like a dishwasher manual.

Command-and-Control (C2) Structure πŸ•ΈοΈ

The malware's C2 structure includes multiple tiers:

  • Tier 1: Direct contact with victim machines

  • Tier 2 & 3: Intermediate communication layers

  • Tier 4: Central server, managing operations and connecting to an auxiliary server for monitoring.

SolarMarker's sophisticated infrastructure and evolving tactics make it a formidable cyber threat.

Hacker bro pulled the Uno #REVERSER πŸ™ˆπŸ™ˆπŸ™ˆ

🚨 CLOUD#REVERSER: Malware Using Cloud Storage ☁️

A new malware campaign called CLOUD#REVERSER uses legitimate cloud services like Google Drive and Dropbox to stage malicious payloads, according to Securonix researchers.

Phishing Attack πŸ“

The attack begins with a phishing email containing a ZIP file. This file has an executable disguised as an Excel document using a right-to-left override (RLO) Unicode character to trick victims.

Payload Delivery πŸ“‚

The malicious executable drops eight payloads, including:

  • A decoy Excel file

  • An obfuscated VBScript to maintain the ruse

  • Scripts for setting up persistence and downloading more malicious files

Persistence & Obfuscation πŸ•΅οΈ

VB and PowerShell scripts create scheduled tasks disguised as Google Chrome updates to avoid detection. These scripts connect to Dropbox and Google Drive to download further instructions and payloads.

Dynamic & Stealthy 🌐

The PowerShell scripts downloaded on-the-fly can be modified by attackers to change the files fetched and executed. This makes the malware adaptable and difficult to trace.

Stealth Operations πŸ‘€

By leveraging cloud services, CLOUD#REVERSER blends into regular network activity, making it hard to detect. It uses these platforms for data exfiltration and command execution.

Ongoing Investigation πŸ”

The full scope and targets of this campaign are still unknown as the investigation by the Texas-based cybersecurity firm continues.

This method highlights the increasing misuse of legitimate cloud services by threat actors to evade detection and maintain access to compromised systems.

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with Presspool.ai! πŸš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." πŸ€“πŸ’‘ That’s us, alright! 🀡 How about you? Visionary AI executive, much? πŸ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business πŸ€–πŸ‘©β€πŸ’»πŸŒ

Rest assured, the process is very straightforward.

You simply:

πŸ†• Sign Up & Create Campaign

πŸ“Š Define your audience, budget, and message to captivate your audience.

πŸš€ Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

πŸ•΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. πŸ“ˆ Elevate your marketing game and stay informed with Presspool.ai! 🌟 Simples! 🦦

Presspool.aiΒ πŸ“°πŸŠπŸ€– may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters πŸ˜‰

Hackers: eyes on the Enterprise, boys πŸ‘€πŸŽπŸ™ƒ

🚨 GitHub Patches Critical Security Flaw πŸ”’

Maximum Severity Flaw Fixed! GitHub has patched a critical vulnerability in GitHub Enterprise Server (GHES), tracked as CVE-2024-4985, which could allow attackers to bypass authentication (CVSS score: 10.0).

Authentication Bypass πŸ”“

The flaw affects instances using SAML single sign-on (SSO) with encrypted assertions. Attackers could forge a SAML response to gain admin access without prior authentication.

Impact & Versions Affected πŸ“‰

Affects all GHES versions prior to 3.13.0.

Fixed in versions: 3.9.15, 3.10.12, 3.11.10, and 3.12.4.

Secure Your Instance βš™οΈ

GHES users are advised to update to the latest version to mitigate this critical risk.

Encryption Not Default ⚠️

Encrypted assertions are not enabled by default.

Instances not using SAML SSO or using SAML SSO without encrypted assertions are not affected.

Update Recommended πŸ›‘οΈ

Organisations using vulnerable versions should update immediately to protect against potential unauthorised access and secure their software development environments.

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles