Info-Stealer ‘Solarmaker’ Activity Surging and Novel Modules Deployed Now

By Bill Toulas / July 30, 2021

Researchers at Cisco Talos have observed a spike in the activity of ‘Solarmaker,’ an actively developed .NET-based modular information stealer and keylogger which continues to evolve and passes undetected by most security solutions. The actor who orchestrates the ongoing campaign appears to be Russian-speaking. It uses Russian names for the various modules, deploys an IP address hosted on ‘Selectel’, and performs character-substitution tricks between Latin and Cyrillic alphabets. Of course, all of these may be purposefully planted false flags, but this is unlikely to be the case.

The targets of the latest campaign are mainly Europe-based entities, while the actors seem to be focusing on the act of harvesting credentials. The languages used by the actors are English, German, and Russian. The organizations that had their door knocked by ‘Solarmaker’ recently operate in the sectors of education, manufacturing, health care, and also municipal governments. The lure files also use a wide range of themes, as the range of the targeted industries is quite wide.

The most interesting part in the Talos’ report is the one concerning the modules used by Solarmaker, some of which are being reported for the first time. Here’s a summary of them:

Source: Cisco Talos
Source: Cisco Talos
Source: Cisco Talos

As for how the initial compromise happens, that is through malicious websites hosted on Google Sites for added legitimacy and detection avoidance. The victims are led there probably by a URL embedded in an email.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari