SolarMarker (also Jupyter, Polazert, Yellow Cockatoo) is an info stealer and backdoor malware. It mainly gets in through advanced SEO poisoning and tricking users into downloading malicious documents. Once inside a system, it can extract autofill data, saved passwords, and credit card details from web browsers. It can also transfer files and execute commands from its C2 server, so it’s a versatile threat.
Since 2020, SolarMarker has evolved to improve its evasion and persistence. Initially it used large Windows installer package files (MSI) to bypass security detections. Later it used signed executables and obfuscated PowerShell scripts to make it harder to detect. Its multi stage infection process starts with a legitimate file execution and then deploying the malware in the background.
Multi-Tiered Infrastructure
SolarMarker has a multi tiered infrastructure. At least 2 clusters: one for active operations and one for testing new techniques or targeting specific regions or industries. This layered approach makes it harder to take down and allows it to adapt quickly to countermeasures.
Evasion Techniques
To avoid detection, SolarMarker uses several techniques. It uses Authenticode certificates to make its payloads look legitimate and deploys large files to hinder antivirus scanning. It also uses obfuscated code and reflective code loading to execute its payloads directly in memory, so it leaves a minimal footprint on the infected system.
Implement application allow-lists to prevent unknown software execution.
Conduct regular security awareness training to educate employees about phishing and SEO poisoning.
Use advanced endpoint detection and response (EDR) to detect and block malicious activities.
Keep all software and systems up to date to patch known vulnerabilities.