SolarMarker: To Jupyter and Back [Wednesday, November 22, 2023]

SolarMarker: To Jupyter and Back [Wednesday, November 22, 2023]
https://www.securitricks.com/content/images/size/w600/format/webp/2023/12/ATTACK-REPORT-LOGO-2.png
Report

SolarMarker: To Jupyter and Back

Description :
SolarMarker uses process injection to run the hVNC and data staging payload. The actors behind SolarMarker primarily utilize .NET for the majority of their payloads, with the notable exception of the observed hVNC backdoor, which is written in Delphi. The initial infection triggers numerous PowerShell processes, resulting in a highly noticeable activity pattern. The threat actor(s) started crafting their own websites to host the landing pages. eSentire are currently seeing versions JN-2, JN-10 and M-VII being deployed.

Published :
2023-11-22T14:16:42.536Z

Created :
2023-11-22T14:16:42.536Z

Modified :
2023-11-22T14:28:33.849Z

Tags

  • solarmarker
  • solarphantom

Indicators

IPv4s :
  • 146.70.169.170
  • 23.29.115.186
  • 146.70.86.142
Hashes :
  • 636f3d9b38c9fc45844955227a9b7041d9434ad9a312760de0f9b19987ed0ebc
  • 111ff9db4e7f49eb25e938c94d1ecc8943fc2c4a71bc989a43a4048c6eaf37a5
  • 7d1c7561a6c3f78a6bd5cbe4265fff1fdb9d3b87814d655221a372660ca4d565
  • 28b77a0e3bd4e0d2686520102879fc0bdff2986a84469ef2b56c03b13ef5507f
  • 460f7b765fae008edc248eb24c108754321b02b7c825aef40c1047662ece3ed8
  • d4debb62f43fb37f8ad0968499d2d48d3cfad20f4ed20d8b3fe9e4759fd95d68
  • e5739f12f5b223d2862bde77f8c19c8d8f919fd78a0abf5acd32c320066e8188
  • b68432733599727a3f6bc5088b78805ded20e83cf26c00a83b472de1870bbfe2
  • bd7a03a372a84bd292e0aa5ebd595284580028c180981b1ce49f5ce1646db6ac
  • 48d7384737860eebbd2ff645371656c53616e19f6f91c88878d4a7af6369e2ba
  • 33787d23c94145b1b2c6f607902bf4f6093531247a19a5b3a0c5e298f312167d
  • 057aa4a06395c384a2a9d29f499b410ac1da6fc2c10aa61908eea3e67a32b872
  • ecf55dc3931e1bc6a186d5a84b22fd8a59e5b72dc03f965d33265e8721186065
  • 39743e067f1e97068f7d9d9af07c8cc6062a5ebbf96a05aac911c91aa96b12d0
  • 2fbf37ebd97644e0a1d50d5152c00fb5cdf45e823af2cc4343efabc1c57d10b2
  • c81cd17859800b5c286aba4583fc0ed7518af044f691a1e62005f42376729d55
  • 00e5ce897dae9fd3c7f1fc003e4b162ded42b7530b3667922e64d6e92e433352
  • 1687321e8be239afc79c20976cb1fd442918dfbff7a8ffbbc1d1d33c7faf066b
  • beedffc1b1e8af41c898f33aa505eef7b28852f517fbddccee444f5ed6b84d7a
  • b6851992ad1afbb3593da3c1265075705a6e76079a975e297bdf89c0311d8490
  • 1d87cc65415db79a65569590c5f58cf0c03507b91f3c599af030994faaa7c19d
  • 463b653e96c35610a81c95bc50608ed34811e591e948988c99316a369619e48a
  • 2caec96b87d2a69c13936adb6a1a4edd79aa1566e5bda7b992ff3fda121d4822
  • 58da56a18d24473bfd68904da60b8819832299b7e6f72c09aba3180575419e95
  • f1196086ca5b3e58a7d20d16b42d83569da07d8ad9228ebcd8ea25a5623d45dc
Attacks Pattern :
  • T1074
  • T1547.001
  • T1059.001
  • T1204.002
  • T1189
  • T1041
External References :

You can download the txt file containing the indicators by clicking on the button below:

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! Youโ€™ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.