#SolarMarker RAT
#Signed "Plus 5 XP Corporation"
#ImpostorCertificate

Decoy: Show('The code execution cannot proceed because MSVCR120.dll was not found. Reinstalling the program may fix this problem.'

C2: 68.233.238.123

More links in comment

VT: https://virustotal.com/gui/file/96512386ea92612cd3c09c377f6a62e1df7a940ce4e46ca5562d75a1017413c9/details

Triage: https://tria.ge/240603-xv6kjsge95/behavioral2

MB: https://bazaar.abuse.ch/sample/ba00fdc92ceaa66612cda52a770bda7961f8cee511e714b6db208583e9f40729/

Backdoor: https://bazaar.abuse.ch/sample/8b3e8a5415487bfb9d6dddaa5e3983ec364bd7754488e97501766dbdfdf39719/

It is common for malware to be signed with code signing certificates.

How is this possible? Impostors receive the cert directly and sign malware.

In this blog-post, we look at 100 certs used by #Solarmarker malware to learn more.

https://squiblydoo.blog/2024/05/13/impostor-certs/

#SolarMarker Infostealer
#Signed: "Table Ronde 1155 Inc."
This marks 100 Authenticode Certificates for SolarMarker. Watch for our blog-post looking back over these 100 certs. Image is a sneak peak.

Loader: https://www.virustotal.com/gui/file/6c59f4f268f1ce1d85cdf9169e81464bb950ec572ea1e3ab9cc4ff4a75589435
MB: https://bazaar.abuse.ch/sample/f857356716201ad76f53ff847644b230f54859c442f6f0ff35c2dc5ee2879374/

Backdoor: https://www.virustotal.com/gui/file/d1cc1eee8759fb31c6c45a8a690e1a977848655ae9bd6d8ce6ac3fcef80814b1/detection
https://bazaar.abuse.ch/sample/d1cc1eee8759fb31c6c45a8a690e1a977848655ae9bd6d8ce6ac3fcef80814b1/

eSentire described two incidents today:

• a tax-themed threat delivering XWorm as the final payload, using phishing emails as initial infection vector. 🔗https://www.esentire.com/blog/dont-take-the-bait-the-xworm-tax-scam
• SolarMarker malware campaigns are now utilizing PyInstaller to hide malicious PowerShell scripts 🔗 https://www.esentire.com/blog/solarmarkers-shift-to-pyinstaller-tactics

Attack chains, IOC and Yara rules provided.

#threatintel #IOC #Xworm #phishing #SolarMarker #PyInstaller

#SolarMarker #Infostealer is back.
Signed: "SLIM DOG SP Z O O"

Decoy + Backdoor
Today, the decoy is a 240pg graphic novel.

VT: https://virustotal.com/gui/file/fbef401c6a7ad24640f6b6583aa0d0fa02aa895c47ab08e68b0e6e312d1b42a5/details

MB: https://bazaar.abuse.ch/sample/f8b2a71a34172076cc65f15d14ed43099a1ddf0a294ffe34c6004ae430a10317/

Backdoor: https://bazaar.abuse.ch/sample/e675ada65b850344af62cee3d42e6f526b3f8acfb711d1144692aa7c95b1c367/

Triage: https://tria.ge/240305-wq4dysdc2y/behavioral2

#SolarMarker
#Signed #EV ТОВ "Оноп"

C2: 67.43.234.48
C2: 2.58.15.214
C2: 91.206.178.109

Triage: https://tria.ge/231217-v3sybageh4/behavioral1

VT: https://virustotal.com/gui/file/9dc4e8a0d45b04b1b4bc2df2a16aa37e5597624feed3b53a9c5ca2929a2fb6c3/

MB: https://bazaar.abuse.ch/sample/99af27441ed0cf1933b2d8a329d444b6ba243399f44d0babf4a0abba95e860c6/

Backdoor: https://bazaar.abuse.ch/sample/c657a0a83b60e8962a552753c3ae924772cf81a7f7100d06695432f4c117fe46/

First stage has recently changed. I may need a new blogpost. (My debloat tool doesn't work in this instance either.)

Low Detection #SolarMarker
#Signed #EV ТОВ "Софт Енжін юа"

C2: 146.70.71.135
C2: 91.206.178.109

Triage Analysis: https://tria.ge/231024-rhrb7sdd6z/behavioral1

VT: https://virustotal.com/gui/file/820eda2078723e7f1c09d0e6d3641ea822c2b36c981cb5bfa4e445733664c087/detection

MB: https://bazaar.abuse.ch/sample/70c2978f454bf649909371b631882baf3c9f3db525d342c9aed88fa0b334bf5e/

Backdoor: https://bazaar.abuse.ch/sample/79611ccdebf0fdafcf6844ea278314038ceda7b6f5c39ed7919cf6f7f2274c06/

#SolarMarker, what do you have against Ukraine?
-
Decoy PDF: US Assistance to Ukraine (unrelated lure), PowerShell loads backdoor
#Signed #EV ТОВ "Ветох"

C2: 146.70.145.224

VT: https://virustotal.com/gui/file/b55b93ec2e7b962840adfacb4e6007c620f6e7fc9a1289825b44b1376a5cc081

MB: https://bazaar.abuse.ch/sample/4d0f98d16ea2647123fa9014a0a0e30968d1c58c9735b077473d44a7632ec90c/

Backdoor: https://bazaar.abuse.ch/sample/4cc525e4fe09c6d8d5beb8afb5a3c6525b5a04e6a3db107920189bb1d4814d3a/
@th3_protoCOL