SolarMarker’s latest version, which augments its capabilities, has been revealed recently by cybersecurity researchers PaloAlto Networks. While this new version of SolarMarker (aka Jupyter) is designed to enhance its defense capabilities and evasion capabilities to evade detection.
As part of its identity theft and backdoor capabilities, SolarMarker malware operates mainly through search engine optimization (SEO) manipulation, which makes it particularly dangerous.
A considerable amount of effort is placed into defense evasion, which includes a variety of techniques that the malware employs, and here below we have mentioned them:-
- Signed files
- Huge files
- Impersonation of legitimate software installations
- Obfuscated PowerShell scripts
Here below we have mentioned all the primary capabilities of SolarMarker malware:-
- Exfiltration of auto-fill data
- Saved passwords
- Saved credit card information from victims’ web browsers
- File transfer capabilities
- File execution capabilities
- Execute arbitrary commands retrieved from a remote server
Key Changes in the New Version of SolarMarker
Here below we have mentioned all the key changes done in the new version of SolarMarker:-
- The dropper is switched back to executables instead of MSI, so that executables are used to drop the files.
- Adds support for larger volumes of dropper files.
- There is always a valid company-signed signature on the dropper files.
- This script has been modified to work with PowerShell.
- Unlike the previous version, when this new version infects the victim’s computer for the first time, the backdoor will automatically be loaded into the dropper process.
Deployment of SolarMarker
SolarMarker began establishing long-term persistence on compromised systems in February 2022 when the operators of the program were observed using stealthy Windows Registry tricks for deploying the program.
In its initial stage, an EXE file larger than 250MB will be used by the operators. It has become a common practice on the Internet to host certain utilities and products on fake websites that are filled with keywords and were optimized in ways to be classified as high-ranking results.
Since the dropper’s initial stage file size is quite large, it is able to avoid automatic analysis by AV tools and engines. However, it has also been designed to be able to download and install legitimate programs from the Internet.
As a result, a PowerShell installer is activated in the background and the SolarMarker malware is effectively deployed.
The SolarMarker backdoor, which consists of a .NET payload, is capable of conducting internal reconnaissance. Afterward, the vacuum extracts data from the system, which is then transmitted to the remote server via an encrypted connection.
A SolarMarker implant, in addition to being a conduit to get information from a victim machine, is also a part of the information-stealing system.