A Security Analyst’s Deep Dive Analysis of the Solarmarker Malware Dropper

Logo
Presented by

Willow Shipperley and Nick Cavalancia

About this talk

Solarmarker is a modular, multistage, heavily obfuscated PowerShell loader, which leads to a .NET compiled backdoor being executed. Solarmarker is flexible enough to deliver a range of final modules, including Mars (a staging component), Jupyter (an information stealer), and Uranus (a keylogger). Using SEO poisoning and malicious PDFs, Solarmarker’s presence has been increasing over the last few months, demonstrating its ability to successfully evade detection, infect victims, and steal information. In this real-training-for-free session, Microsoft MVP and cybersecurity expert Nick Cavalancia takes my seat, and will first discuss: - Attacks involving Solarmarker - The value of evasive techniques - Mapping Solarmarker to the MITRE ATT&CK Framework Joining Nick will be Willow Shipperley – Associate Detection & Response Analyst from Rapid7. Willow will walk you through a deep dive demo of Solarmarker from a security analyst’s perspective, including: - An analysis of Solarmarker’s more recent updates - Anti-analysis methods used - Solarmarker’s somewhat confusing (at first glance) method of hiding the legitimate payload from detection Willow will also be providing a demo of how the malware works, via a live execution in a sandbox VM, followed by the presentation of useful logs and files such as winevt logs (PowerShell Operational Logs). Willow will explain how the code executes, as well as the usage of persistence mechanisms and anti-analysis techniques such as hiding malicious PowerShell in registry keys and building the final first stage payload live/running it in memory. Samples used will be pulled from real cases. The highlight of the demonstration is to show the evolution of the malware (as the original version which many articles have been written about is significantly simpler), as well as to provide insight into how malware triage works. Register to watch this webcast on demand today!
Related topics:

More from this channel

Upcoming talks (4)
On-demand talks (666)
Subscribers (58879)
Rapid7 is creating a more secure digital future for all by helping organizations strengthen their security programs in the face of accelerating digital transformation. Our portfolio of best-in-class solutions empowers security professionals to manage risk and eliminate threats across the entire threat landscape from apps to the cloud to traditional infrastructure to the dark web. We foster open source communities and cutting-edge research–using these insights to optimize our products and arm the global security community with the latest in attackers methods. Trusted by more than 10,000 customers worldwide, our industry-leading solutions and services help businesses stay ahead of attackers, ahead of the competition, and future-ready for what’s next.