SolarMarker Malware Continues to Evolve, Targeting Multiple Sectors
Recent investigations by Recorded Future have revealed the complex infrastructure behind the SolarMarker malware, a notorious information-stealing threat. The actors responsible for this malware have created a multi-tiered system designed to complicate law enforcement’s efforts to neutralize it. This infrastructure is divided into at least two distinct clusters: a primary segment dedicated to active operations and a secondary one purportedly used for strategic innovations or targeting specific industries and regions.
The dual-layered approach enhances SolarMarker’s adaptability, making it more resilient against countermeasures and significantly increasing the difficulty of eradication. Since its emergence in September 2020, SolarMarker—known by various names including Deimos, Polazert, and Yellow Cockatoo—has continuously evolved, demonstrating capabilities to pilfer sensitive information from numerous web browsers and cryptocurrency wallets, while also targeting VPNs and Remote Desktop Protocol (RDP) configurations.
Data compiled since September 2023 indicates that SolarMarker’s main targets include education, government, healthcare, hospitality, and small to medium-sized enterprises, with a significant majority of the victims located in the United States. Notable instances have involved significant institutions such as prominent universities, governmental agencies, well-known hotel chains, and healthcare providers.
To evade detection, the creators of SolarMarker have been honing its stealthiness through techniques such as the use of larger payload sizes and valid Authenticode certificates. The malware also employs innovative Windows Registry modifications and has the unique ability to execute directly from memory, bypassing traditional methods of disk storage. Infection vectors typically involve misleading downloader sites presenting themselves as legitimate platforms for popular software, which victims may access unwittingly or through manipulated search engine results. Additional avenues of infection include malicious email links.
Upon execution, initial droppers manifest as executable files or Microsoft Software Installer (MSI) files, leading to the deployment of a .NET-based backdoor that subsequently downloads further payloads for information theft. Recent variations of the malware also utilize counterfeit installers to present seemingly legitimate applications while concurrently deploying a PowerShell script that loads the SolarMarker backdoor directly into memory.
Notably, SolarMarker has recently incorporated a Delphi-based backdoor known as SolarPhantom, which enables remote control of infected systems without the users’ knowledge. In the latest months, threat actors have alternated their methods, employing Inno Setup and PS2EXE utilities to generate payloads, demonstrating a flexible and evolving attack strategy.
As of two months ago, security researchers observed a new version of SolarMarker, propagated using a deceiving dishwasher manual as bait. There is ongoing speculation regarding the origins of SolarMarker, with some analyses suggesting the involvement of a single actor, potentially connected to Russian cyber activities.
In the broader context of cybersecurity incidents, the infrastructures surrounding such malware are critical for understanding the motivations and tactics used by threat actors. Recorded Future’s analysis indicates a sophisticated command-and-control (C2) server architecture, characterized by multiple tiers that facilitate direct communication with infected machines while allowing for the orchestration of operations on a longer-term basis.
This incident underscores the necessity for businesses to bolster their cybersecurity defenses against such multifaceted threats. Employing the MITRE ATT&CK framework can provide insights into the likely tactics and techniques used in these attacks, such as initial access, persistence, and privilege escalation, thus enabling targeted strategies to prevent future breaches. In a landscape where data security is increasingly paramount, understanding these threats is essential for safeguarding organizational assets.
