Pen testing
C2
SolarMarker (also Jupyter, Polazert, Yellow Cockatoo) is an info stealer and backdoor malware. It mainly gets in through advanced SEO poisoning and tricking users into downloading malicious documents. Once inside a system, it can extract autofill data, saved passwords, and credit card details from web browsers. It can also transfer files and execute commands from its C2 server, so it’s a versatile threat.
Since 2020, SolarMarker has evolved to improve its evasion and persistence. Initially it used large Windows installer package files (MSI) to bypass security detections. Later it used signed executables and obfuscated PowerShell scripts to make it harder to detect. Its multi stage infection process starts with a legitimate file execution and then deploying the malware in the background.
Multi-Tiered Infrastructure
SolarMarker has a multi tiered infrastructure. At least 2 clusters: one for active operations and one for testing new techniques or targeting specific regions or industries. This layered approach makes it harder to take down and allows it to adapt quickly to countermeasures.
Evasion Techniques
To avoid detection, SolarMarker uses several techniques. It uses Authenticode certificates to make its payloads look legitimate and deploys large files to hinder antivirus scanning. It also uses obfuscated code and reflective code loading to execute its payloads directly in memory, so it leaves a minimal footprint on the infected system.
SolarMarker has several known variants: Jupyter, Polazert, Yellow Cockatoo. Each variant has the same core functionality but may have different tactics or targeting. For example, the Jupyter variant is known for its info stealing capabilities and targets web browsers.
Implement application allow-lists to prevent unknown software execution.
Conduct regular security awareness training to educate employees about phishing and SEO poisoning.
Use advanced endpoint detection and response (EDR) to detect and block malicious activities.
Keep all software and systems up to date to patch known vulnerabilities.
It has been observed to target various industries. Education, healthcare, government, hospitality and SMEs have been affected. This diversity of industries suggests that the SolarMarker operators want to maximize their reach and impact across different fields.
No specific threat actors have been linked to SolarMarker. Some analysis suggests sophisticated and persistent groups, but no concrete attribution. Lack of identifiable actors makes it hard to track the origin of such advanced malware campaigns.
