Andrew Windsor and Chris Neal, researchers at Cisco Talos, analyzed the Solarmarker malware, a .NET-based keylogger that they describe as “highly modular”. In their opinion, behind the solar marker campaign are “quite sophisticated” actors who concentrate their energies on stealing login data and other information.
Other indications, such as the targeted language component of the keylogger, indicate that the cyber attackers have an interest in European organizations or are simply not able to process texts in languages other than Russian, German and English. “Regardless, they are not picky or overly careful about which victims get infected with their malware. During the recent surge in the campaign, Talos observed that the health, education and local government sectors were the most attacked, ”the researchers’ report said.
The Talos researchers warn companies to be wary of the malware, as the discovered modules show that victims are vulnerable to the theft of sensitive information, and not just from the browser use of individual employees, such as theirs Enter credit card number or other personal data, but also data that is critical for the security of the company, in particular login data.
According to Cisco Talos, Solarmarker has been active since at least September 2020. Some DNS telemetry data even suggest that the malware has been in circulation since April 2020.