SolarSys

SolarSys Description

SolarSys is a new Trojan threat that is being deployed against users located in Brazil. The region of South America and especially Brazil has been registering far more attack campaigns involving banking Trojan payloads than the rest of the world, and SolarSys does indeed have banking Trojan capabilities. As a whole, SolarSys is composed of several harmful components, each tasked with executing a different action on the compromised system. 

The Trojan is delivered through fake MSI installers that pretend to be Java or Microsoft HTML Help. Once started. However, they call InstallUtil, which is used to execute the .Net dynamic library file called 'uninstall.dll' that carries the first-stage backdoor payload. 'Uninstall.dll' runs the JavaScript backdoor in memory, sets up the persistence mechanism by registering itself to AutoRun, and executes Install.js, a dropper responsible for the delivery of the second-stage payloads.

The first module is designed to further propagate the Banking Trojan by obtaining contact lists from the compromised user's computer and sending phishing emails with malware-laced attachments. The titles of the emails are set to sound important or urgent to catch the attention of the targets. Some users might not suspect that something wrong is going on due to the sender of the emails being someone they know. Upon execution, the attachments will start dropping corrupted payloads through template injections.

The second corrupted module, a part of SolarSys, will attempt to collect credentials from the Google Chrome browser. Among the information obtained by the malware is the user's browsing data, website login credentials, etc.

The final module is the one responsible for grabbing the user's banking information. It is delivered as a file named 'BOM.bin.' The banking Trojan begins scanning the websites visited by the compromised user for a match with its list of targeted banks. It then generates an overlay displaying a fake login page, where the victim is encouraged to input various login credentials that are then exfiltrated to the attackers. Among the banks impersonated by SolarSys are Banco Mercantil, Banco do Nordeste, CrediSIS, Banrisul, Safra, Banco do Brasil, Bradesco, Sicoob, Banco Itaú, Santander, Banco Inter, Banestes, Banpará and other Brazilian banking institutions.