Thursday, April 18, 2024

A New Version of SolarMarker Malware Steals Passwords and Credit Card Data

SolarMarker’s latest version, which augments its capabilities, has been revealed recently by cybersecurity researchers PaloAlto Networks. While this new version of SolarMarker (aka Jupyter) is designed to enhance its defense capabilities and evasion capabilities to evade detection.

As part of its identity theft and backdoor capabilities, SolarMarker malware operates mainly through search engine optimization (SEO) manipulation, which makes it particularly dangerous.

A considerable amount of effort is placed into defense evasion, which includes a variety of techniques that the malware employs, and here below we have mentioned them:-

  • Signed files
  • Huge files
  • Impersonation of legitimate software installations
  • Obfuscated PowerShell scripts

SolarMarker’s Capabilities

Here below we have mentioned all the primary capabilities of SolarMarker malware:-

  • Exfiltration of auto-fill data
  • Saved passwords
  • Saved credit card information from victims’ web browsers
  • File transfer capabilities 
  • File execution capabilities
  • Execute arbitrary commands retrieved from a remote server

Key Changes in the New Version of SolarMarker

Here below we have mentioned all the key changes done in the new version of SolarMarker:-

  • The dropper is switched back to executables instead of MSI, so that executables are used to drop the files.
  • Adds support for larger volumes of dropper files.
  • There is always a valid company-signed signature on the dropper files.
  • This script has been modified to work with PowerShell.
  • Unlike the previous version, when this new version infects the victim’s computer for the first time, the backdoor will automatically be loaded into the dropper process.

Deployment of SolarMarker

SolarMarker began establishing long-term persistence on compromised systems in February 2022 when the operators of the program were observed using stealthy Windows Registry tricks for deploying the program.

In its initial stage, an EXE file larger than 250MB will be used by the operators. It has become a common practice on the Internet to host certain utilities and products on fake websites that are filled with keywords and were optimized in ways to be classified as high-ranking results.

Since the dropper’s initial stage file size is quite large, it is able to avoid automatic analysis by AV tools and engines. However, it has also been designed to be able to download and install legitimate programs from the Internet.

As a result, a PowerShell installer is activated in the background and the SolarMarker malware is effectively deployed.

The SolarMarker backdoor, which consists of a .NET payload, is capable of conducting internal reconnaissance. Afterward, the vacuum extracts data from the system, which is then transmitted to the remote server via an encrypted connection.

A SolarMarker implant, in addition to being a conduit to get information from a victim machine, is also a part of the information-stealing system.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...

Phishing-as-a-Service Platform LabHost Seized by Authorities

Authorities have dismantled LabHost, a notorious cybercrime platform that facilitated widespread phishing attacks across...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles