eBook

Modern Threat Hunting

Modern Threat Hunting

10 Practical Steps to Outsmart Adversaries

10 Practical Steps to Outsmart Adversaries

A Hands-On Guide Using Hunt.io’s Threat Intelligence Platform

Get the Free eBook

Get the Free eBook

SolarMarker

SolarMarker

SolarMarker

SolarMarker (also Jupyter, Polazert, Yellow Cockatoo) is an info stealer and backdoor malware. It mainly gets in through advanced SEO poisoning and tricking users into downloading malicious documents. Once inside a system, it can extract autofill data, saved passwords, and credit card details from web browsers. It can also transfer files and execute commands from its C2 server, so it’s a versatile threat.

Key Insights

Key Insights

Since 2020, SolarMarker has evolved to improve its evasion and persistence. Initially it used large Windows installer package files (MSI) to bypass security detections. Later it used signed executables and obfuscated PowerShell scripts to make it harder to detect. Its multi stage infection process starts with a legitimate file execution and then deploying the malware in the background.

Multi-Tiered Infrastructure

SolarMarker has a multi tiered infrastructure. At least 2 clusters: one for active operations and one for testing new techniques or targeting specific regions or industries. This layered approach makes it harder to take down and allows it to adapt quickly to countermeasures.

Evasion Techniques

To avoid detection, SolarMarker uses several techniques. It uses Authenticode certificates to make its payloads look legitimate and deploys large files to hinder antivirus scanning. It also uses obfuscated code and reflective code loading to execute its payloads directly in memory, so it leaves a minimal footprint on the infected system.

Known Variants

Known Variants

SolarMarker has several known variants: Jupyter, Polazert, Yellow Cockatoo. Each variant has the same core functionality but may have different tactics or targeting. For example, the Jupyter variant is known for its info stealing capabilities and targets web browsers.

SolarMarker has several known variants: Jupyter, Polazert, Yellow Cockatoo. Each variant has the same core functionality but may have different tactics or targeting. For example, the Jupyter variant is known for its info stealing capabilities and targets web browsers.

Mitigation Strategies

Mitigation Strategies

  • Implement application allow-lists to prevent unknown software execution.

  • Conduct regular security awareness training to educate employees about phishing and SEO poisoning.

  • Use advanced endpoint detection and response (EDR) to detect and block malicious activities.

  • Keep all software and systems up to date to patch known vulnerabilities.

Targeted Industries or Sectors

Targeted Industries or Sectors

It has been observed to target various industries. Education, healthcare, government, hospitality and SMEs have been affected. This diversity of industries suggests that the SolarMarker operators want to maximize their reach and impact across different fields.

It has been observed to target various industries. Education, healthcare, government, hospitality and SMEs have been affected. This diversity of industries suggests that the SolarMarker operators want to maximize their reach and impact across different fields.

Associated Threat Actors

Associated Threat Actors

No specific threat actors have been linked to SolarMarker. Some analysis suggests sophisticated and persistent groups, but no concrete attribution. Lack of identifiable actors makes it hard to track the origin of such advanced malware campaigns.

No specific threat actors have been linked to SolarMarker. Some analysis suggests sophisticated and persistent groups, but no concrete attribution. Lack of identifiable actors makes it hard to track the origin of such advanced malware campaigns.

References

    Related Posts:

    SolarMarker: Hunt Insights and Findings
    May 30, 2024

    SolarMarker: Hunt Insights and Findings

    SolarMarker: Hunt Insights and Findings
    May 30, 2024

    SolarMarker: Hunt Insights and Findings

    SolarMarker: Hunt Insights and Findings
    May 30, 2024

    SolarMarker: Hunt Insights and Findings

    VS Code Extension Impersonating Zoom Targets Google Chrome Cookies
    Jan 21, 2025

    Malicious VS Code Extension Impersonating Zoom Steals Chrome Cookies

    VS Code Extension Impersonating Zoom Targets Google Chrome Cookies
    Jan 21, 2025

    Malicious VS Code Extension Impersonating Zoom Steals Chrome Cookies

    VS Code Extension Impersonating Zoom Targets Google Chrome Cookies
    Jan 21, 2025

    Malicious VS Code Extension Impersonating Zoom Steals Chrome Cookies

    Backdoored Installers for Signal, Line, and Gmail Target Chinese-Speaking Users
    Feb 18, 2025

    Backdoored Executables for Signal, Line, and Gmail Target Chinese-Speaking Users

    Backdoored Installers for Signal, Line, and Gmail Target Chinese-Speaking Users
    Feb 18, 2025

    Backdoored Executables for Signal, Line, and Gmail Target Chinese-Speaking Users

    Backdoored Installers for Signal, Line, and Gmail Target Chinese-Speaking Users
    Feb 18, 2025

    Backdoored Executables for Signal, Line, and Gmail Target Chinese-Speaking Users