- Aug 17, 2014
Andrew Windsor and Chris Neal, researchers with Cisco Talos, have seen new activity from Solarmarker, a .NET-based information stealer and keylogger that they called "highly modular."
The researchers explained that the Solarmarker campaign is being conducted by "fairly sophisticated" actors focusing their energy on credential and residual information theft.
Other clues, like the targeted language component of the keylogger, indicate that the cyberattacker has an interest in European organizations or cannot afford to process text in any languages other than Russian, German and English.
"Regardless, they are not particular or overly careful as to which victims are infected with their malware. During this recent surge in the campaign, Talos observed the health care, education, and municipal governments verticals being targeted the most often," the report said.
"These sectors were followed by a smaller grouping of manufacturing organizations, along with a few individual organizations in religious institutions, financial services and construction/engineering. Despite what appears to be a concentration of victimology among a few verticals, we assess with moderate confidence that this campaign is not targeting any specific industries, at least not intentionally."
The report added that Microsoft researchers believe the Solarmarker campaign is using SEO poisoning in order to make their dropper files highly visible in search engine results, potentially skewing "what types of organizations are likely to come across the malicious files depending on what is topically popular at the time."
A new report said the Solarmarker campaign is being conducted by "fairly sophisticated" actors focusing their energy on credential and residual information theft.