SolarMarker Malware Evolves to Resist Takedown Attempts with Multi-Tiered Infrastructure

The SolarMarker malware, known by various aliases such as Deimos, Jupyter Infostealer, Polazert, and Yellow Cockatoo, is a sophisticated and evolving cyber threat. According to new research from Recorded Future, the threat actors behind SolarMarker have established a multi-tiered infrastructure designed to complicate law enforcement takedown efforts. This infrastructure includes at least two clusters: a primary one for active operations and a secondary one likely used for testing new strategies or targeting specific regions or industries. This separation allows SolarMarker to quickly adapt to countermeasures, enhancing its resilience and making it particularly difficult to eradicate.

Since its emergence in September 2020, SolarMarker has continuously evolved. It is capable of stealing data from various web browsers and cryptocurrency wallets and can target VPN and RDP configurations. Key developments in its stealth capabilities include increased payload sizes, the use of valid Authenticode certificates, novel Windows Registry changes, and the ability to run directly from memory to avoid disk-based detection. Typically, SolarMarker is disseminated through deceptive downloader sites advertising popular software, SEO poisoning, and malicious email links. Initial droppers are usually executables and msi files that deploy a .NET-based backdoor, which downloads additional payloads to facilitate information theft. In some instances, the malware uses counterfeit installers that drop a legitimate application or decoy file while simultaneously launching a PowerShell loader to deliver and execute the SolarMarker backdoor in memory.

Recorded Future’s investigation revealed a multi-tiered command-and-control (C2) server architecture. Tier 1 C2 servers have direct contact with victim machines, and they connect to Tier 2 servers via port 443. Tier 2 servers communicate with Tier 3 servers, which in turn connect to Tier 4 servers, also via port 443. The Tier 4 server is the central server managing downstream servers and connects with an auxiliary server via port 8033, possibly for monitoring or as a backup. There is evidence suggesting that SolarMarker may be the work of a lone actor of unknown origin, although prior research by Morphisec has hinted at a possible Russian connection. The continuous evolution and complex infrastructure of SolarMarker highlight the sophisticated nature of modern cyber threats, emphasizing the importance of advanced cybersecurity measures and ongoing vigilance in protecting against such threats.

Security Officer Comments:
Recent developments of the malware include the addition of SolarPhantom, a Delphi-based hVNC backdoor that allows remote control of victim machines without their knowledge. The malware has also used different tools, such as Inno Setup and PS2EXE, to generate payloads. As recently as two months ago, a new PyInstaller version of SolarMarker was discovered using a dishwasher manual as a decoy. SolarMarker has targeted a diverse range of sectors, including education, government, healthcare, hospitality, and small to medium-sized enterprises. High-profile victims include prominent universities, government departments, global hotel chains, and healthcare providers, with the majority located in the U.S.

Suggested Corrections:

Researchers at Recorded Future recommend the following mitigations to defend against the SolarMarker Malware:

  • Implement multi-factor authentication (MFA) to add an extra layer of security and make it more challenging for attackers to abuse compromised credentials.
  • Ensure that both software and browser updates are regularly installed. Updates often include patches for vulnerabilities and replace outdated plug-ins and add-ons, making it harder for threat actors to exploit these vulnerabilities to compromise a device.
  • Set up a robust email filtering system to detect and flag malicious attachments and links. Preventing these potentially dangerous emails from reaching users’ inboxes is crucial for protecting against phishing attacks. Any suspicious emails should be isolated and held in quarantine for thorough examination and analysis.
  • Monitor network traffic using intrusion detection systems (IDS), intrusion prevention systems (IPS), or other network defense mechanisms to detect and alert on malicious activity.
  • Enforce limits on software installations for users, allowing them to download updates only from trusted sources. Additionally, keep the operating system up-to-date and verify hashes to ensure the installation of valid applications and updates.