The multi-level infrastructure of the malware does not leave the corporate sector any chances.
Recorded Future recently discovered that the creators of the SolarMarker malware have developed a multi-layered infrastructure to make it harder for law enforcement agencies to operate.
"The core of SolarMarker's operations is a multi-layered infrastructure consisting of at least two clusters: a primary one for active operations and a secondary one, probably used to test new strategies or to attack specific regions or industries," the company said in a report.
This structure allows SolarMarker to adapt and respond to countermeasures, making it particularly difficult to remove. The malware, also known as Deimos, Jupyter Infostealer, Polazert, and Yellow Cockatoo, has continued to evolve relentlessly since its introduction in September 2020.
SolarMarker is capable of stealing data from various web browsers, cryptocurrency wallets, and targeting VPN and RDP configurations. Among the most affected industries are education, the public sector, healthcare, hospitality, and small and medium-sized businesses. Most of the victims are located in the United States.
The creators of SolarMarker are constantly working to improve its stealth by increasing the payload size, using valid Authenticode certificates and new changes in the Windows registry. In addition, malware can be launched directly from the infected device's memory, rather than from disk.
SolarMarker infection usually occurs through fake download sites that advertise popular software, or through links in malicious emails. Primary loaders are executable files (EXE) and Microsoft Software Installer (MSI) files that, when run, deploy a backdoor based on .NET for downloading additional payloads.
Alternative attack sequences include tampering with installers that simultaneously run the PowerShell loader to deliver and execute SolarMarker in memory. Last year, there were also attacks using a Delphi-based backdoor called SolarPhantom, which allows you to remotely control the victim's computer.
According to eSentire, in February 2024, the threat from SolarMarker included the use of Inno Setup and PS2EXE tools to generate payloads. And more recently, a version based on PyInstaller was discovered, distributed using the dishwasher instruction manual as bait.
There is speculation that SolarMarker may be the work of a cybercriminal of unknown origin, acting alone.
New data about this threat highlights the high degree of complexity and sophistication of the SolarMarker infrastructure, which makes the fight against this malware particularly difficult.
Recorded Future recently discovered that the creators of the SolarMarker malware have developed a multi-layered infrastructure to make it harder for law enforcement agencies to operate.
"The core of SolarMarker's operations is a multi-layered infrastructure consisting of at least two clusters: a primary one for active operations and a secondary one, probably used to test new strategies or to attack specific regions or industries," the company said in a report.
This structure allows SolarMarker to adapt and respond to countermeasures, making it particularly difficult to remove. The malware, also known as Deimos, Jupyter Infostealer, Polazert, and Yellow Cockatoo, has continued to evolve relentlessly since its introduction in September 2020.
SolarMarker is capable of stealing data from various web browsers, cryptocurrency wallets, and targeting VPN and RDP configurations. Among the most affected industries are education, the public sector, healthcare, hospitality, and small and medium-sized businesses. Most of the victims are located in the United States.
The creators of SolarMarker are constantly working to improve its stealth by increasing the payload size, using valid Authenticode certificates and new changes in the Windows registry. In addition, malware can be launched directly from the infected device's memory, rather than from disk.
SolarMarker infection usually occurs through fake download sites that advertise popular software, or through links in malicious emails. Primary loaders are executable files (EXE) and Microsoft Software Installer (MSI) files that, when run, deploy a backdoor based on .NET for downloading additional payloads.
Alternative attack sequences include tampering with installers that simultaneously run the PowerShell loader to deliver and execute SolarMarker in memory. Last year, there were also attacks using a Delphi-based backdoor called SolarPhantom, which allows you to remotely control the victim's computer.
According to eSentire, in February 2024, the threat from SolarMarker included the use of Inno Setup and PS2EXE tools to generate payloads. And more recently, a version based on PyInstaller was discovered, distributed using the dishwasher instruction manual as bait.
There is speculation that SolarMarker may be the work of a cybercriminal of unknown origin, acting alone.
New data about this threat highlights the high degree of complexity and sophistication of the SolarMarker infrastructure, which makes the fight against this malware particularly difficult.
