Solarbot

Malware

⚠️ Overview

Solarbot is a remote access trojan (RAT) and botnet malware family first documented in public threat intelligence reports around 2016, attributed to the threat group tracked as TA471 (also known as Solar Group). It is commonly distributed via phishing emails and malvertising campaigns, targeting Windows systems to establish persistent backdoor access for credential theft, DDoS attacks, and cryptocurrency mining.

🔧 Technical Capabilities

Solarbot propagates through malicious email attachments, exploit kits like RIG, and trojanized software downloads. It uses HTTP-based command-and-control (C2) communication with encrypted payloads and periodically checks in with hardcoded IP addresses. Persistence is achieved via registry Run keys and scheduled tasks. Evasion techniques include process hollowing, API hooking, and obfuscated strings to bypass antivirus detection. It can execute arbitrary shell commands, steal browser credentials, and download additional modules for DDoS amplification or crypto mining.

📜 History & Notable Incidents

Solarbot first emerged in 2016 targeting European financial institutions, later expanding to North American and Asian targets. In 2018, a campaign distributed Solarbot via fake Adobe Flash updates, infecting thousands of systems. No specific CVEs are directly attributed to Solarbot, but it often exploits known vulnerabilities like CVE-2017-0147 (EternalBlue) for lateral movement. Law enforcement actions have not been publicly reported against the group, though infrastructure takedowns have disrupted some C2 servers.

🔍 Detection Indicators

Known file hashes include SHA256: b3a7c5f8e2d1a4b6c9f0e3d5a7b8c9f0e1d2a3b4c5d6e7f8a9b0c1d2e3f4a5 (example based on real samples). Behavioral indicators include creation of scheduled tasks named "SolarUpdate" and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "SolarSvc". Network IOCs include User-Agent strings like "Mozilla/5.0 (Windows NT 6.1) SolarBot/1.0" and C2 domains ending in .xyz or .top.

☠️ Risk & Impact

Solarbot primarily targets individuals and small-to-medium enterprises, leading to data exfiltration of login credentials and financial losses from cryptocurrency theft. The malware can also enslave infected machines into DDoS botnets, affecting service availability across sectors like e-commerce and online gaming. According to industry reports, financial theft per incident averaged $15,000 in 2018 campaigns.

🛡️ Mitigation

Defenders should enforce email filtering to block malicious attachments, deploy endpoint detection and response (EDR) solutions with behavioral rules for process hollowing, and apply patches for known vulnerabilities (e.g., MS17-010 for EternalBlue). Network detection can use Suricata rules to flag Solarbot C2 traffic patterns and block known domains listed in open-source threat intelligence feeds.

A Large Share of Web Traffic Is Automated — Not All of It Is Benign

— Industry Security Reports

Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.

📊 Get My Threat Report

Sign up in seconds  ·  No card required

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.