Wednesday, November 6, 2024
HomeCyber Security NewsA New Version of SolarMarker Malware Steals Passwords and Credit Card Data

A New Version of SolarMarker Malware Steals Passwords and Credit Card Data

Published on

Malware protection

SolarMarker’s latest version, which augments its capabilities, has been revealed recently by cybersecurity researchers PaloAlto Networks. While this new version of SolarMarker (aka Jupyter) is designed to enhance its defense capabilities and evasion capabilities to evade detection.

As part of its identity theft and backdoor capabilities, SolarMarker malware operates mainly through search engine optimization (SEO) manipulation, which makes it particularly dangerous.

A considerable amount of effort is placed into defense evasion, which includes a variety of techniques that the malware employs, and here below we have mentioned them:-

- Advertisement - SIEM as a Service
  • Signed files
  • Huge files
  • Impersonation of legitimate software installations
  • Obfuscated PowerShell scripts

SolarMarker’s Capabilities

Here below we have mentioned all the primary capabilities of SolarMarker malware:-

  • Exfiltration of auto-fill data
  • Saved passwords
  • Saved credit card information from victims’ web browsers
  • File transfer capabilities 
  • File execution capabilities
  • Execute arbitrary commands retrieved from a remote server

Key Changes in the New Version of SolarMarker

Here below we have mentioned all the key changes done in the new version of SolarMarker:-

  • The dropper is switched back to executables instead of MSI, so that executables are used to drop the files.
  • Adds support for larger volumes of dropper files.
  • There is always a valid company-signed signature on the dropper files.
  • This script has been modified to work with PowerShell.
  • Unlike the previous version, when this new version infects the victim’s computer for the first time, the backdoor will automatically be loaded into the dropper process.

Deployment of SolarMarker

SolarMarker began establishing long-term persistence on compromised systems in February 2022 when the operators of the program were observed using stealthy Windows Registry tricks for deploying the program.

In its initial stage, an EXE file larger than 250MB will be used by the operators. It has become a common practice on the Internet to host certain utilities and products on fake websites that are filled with keywords and were optimized in ways to be classified as high-ranking results.

Since the dropper’s initial stage file size is quite large, it is able to avoid automatic analysis by AV tools and engines. However, it has also been designed to be able to download and install legitimate programs from the Internet.

As a result, a PowerShell installer is activated in the background and the SolarMarker malware is effectively deployed.

The SolarMarker backdoor, which consists of a .NET payload, is capable of conducting internal reconnaissance. Afterward, the vacuum extracts data from the system, which is then transmitted to the remote server via an encrypted connection.

A SolarMarker implant, in addition to being a conduit to get information from a victim machine, is also a part of the information-stealing system.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information...

ToxicPanda Banking Malware Attacking Banking Users To Steal Logins

Recent research has uncovered a new strain of malware developed for Android devices, initially...

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information...

ToxicPanda Banking Malware Attacking Banking Users To Steal Logins

Recent research has uncovered a new strain of malware developed for Android devices, initially...

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...