Thursday, March 28, 2024

A New Version of SolarMarker Malware Steals Passwords and Credit Card Data

SolarMarker’s latest version, which augments its capabilities, has been revealed recently by cybersecurity researchers PaloAlto Networks. While this new version of SolarMarker (aka Jupyter) is designed to enhance its defense capabilities and evasion capabilities to evade detection.

As part of its identity theft and backdoor capabilities, SolarMarker malware operates mainly through search engine optimization (SEO) manipulation, which makes it particularly dangerous.

A considerable amount of effort is placed into defense evasion, which includes a variety of techniques that the malware employs, and here below we have mentioned them:-

  • Signed files
  • Huge files
  • Impersonation of legitimate software installations
  • Obfuscated PowerShell scripts

SolarMarker’s Capabilities

Here below we have mentioned all the primary capabilities of SolarMarker malware:-

  • Exfiltration of auto-fill data
  • Saved passwords
  • Saved credit card information from victims’ web browsers
  • File transfer capabilities 
  • File execution capabilities
  • Execute arbitrary commands retrieved from a remote server

Key Changes in the New Version of SolarMarker

Here below we have mentioned all the key changes done in the new version of SolarMarker:-

  • The dropper is switched back to executables instead of MSI, so that executables are used to drop the files.
  • Adds support for larger volumes of dropper files.
  • There is always a valid company-signed signature on the dropper files.
  • This script has been modified to work with PowerShell.
  • Unlike the previous version, when this new version infects the victim’s computer for the first time, the backdoor will automatically be loaded into the dropper process.

Deployment of SolarMarker

SolarMarker began establishing long-term persistence on compromised systems in February 2022 when the operators of the program were observed using stealthy Windows Registry tricks for deploying the program.

In its initial stage, an EXE file larger than 250MB will be used by the operators. It has become a common practice on the Internet to host certain utilities and products on fake websites that are filled with keywords and were optimized in ways to be classified as high-ranking results.

Since the dropper’s initial stage file size is quite large, it is able to avoid automatic analysis by AV tools and engines. However, it has also been designed to be able to download and install legitimate programs from the Internet.

As a result, a PowerShell installer is activated in the background and the SolarMarker malware is effectively deployed.

The SolarMarker backdoor, which consists of a .NET payload, is capable of conducting internal reconnaissance. Afterward, the vacuum extracts data from the system, which is then transmitted to the remote server via an encrypted connection.

A SolarMarker implant, in addition to being a conduit to get information from a victim machine, is also a part of the information-stealing system.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles