Home Web information New Variant of SolarMarker Malware Using Updated Techniques to Stay Under the Radar

New Variant of SolarMarker Malware Using Updated Techniques to Stay Under the Radar


Cybersecurity researchers have unveiled a new version of SolarMarker malware that incorporates new enhancements in a bid to update its defense evasion capabilities and stay under the radar.

“The recent release demonstrated a shift from Windows portable executables (EXE files) to working with Windows installer package files (MSI files),” Palo Alto Networks Unit 42 researchers said in a report. published this month. “This campaign is still in development and is reverting to using executable (EXE) files as it did in its previous versions.”

SolarMarker, also known as Jupyter, uses manipulated search engine optimization (SEO) tactics as its main infection vector. It is known for its information theft and backdoor features, allowing attackers to steal data stored in web browsers and execute arbitrary commands fetched from a remote server.

cyber security

In February 2022, SolarMarker operators were observed using stealthy Windows Registry tricks to establish long-term persistence on compromised systems.

SolarMarker Malware

The evolving attack patterns spotted by Unit 42 are a continuation of this behavior, with the infection chains taking the form of 250MB executables for PDF readers and utilities that are hosted on fraudulent websites. filled with keywords and use SEO techniques to rank them higher in the search results.

The large file size not only allows the initial stage dropper to avoid automated scanning by antivirus engines, but it is also designed to download and install the legitimate program while in the background it enables execution of a PowerShell installer that deploys the SolarMarker malware.

SolarMarker Malware

A .NET-based payload, the SolarMarker backdoor is equipped with capabilities to perform internal reconnaissance and void system metadata, all of which are exfiltrated to the remote server through an encrypted channel.

cyber security

The implant also functions as a conduit to deploy the SolarMarker’s information-stealing module to the victim machine. The thief, on the other hand, can siphon autofill data, cookies, passwords, and credit card information from web browsers.

“The malware invests considerable effort in defense evasion, which consists of techniques such as signed files, large files, impersonation of legitimate software installations, and obfuscated PowerShell scripts,” said the researchers.