Threat Research

New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns

Securonix

SolarMarker has evolved into a multi-stage threat delivering backdoors and infostealers, primarily via SEO-driven campaigns that lure users to download malicious documents. Itexfiltrates browser data, can transfer files, and executes commands from a C2, while employing defense-evasion tricks such as code signing, large droppers, and obfuscated PowerShell. #SolarMarker #Jupyter #YellowCockatoo #Polazert

Keypoints

  • SolarMarker is a multi-stage malware family delivering backdoor and infostealer capabilities, mainly spread through SEO poisoning to convince users to download malicious documents.
  • Capabilities include exfiltrating auto-fill data, saved passwords, and saved credit card information from browsers, plus file transfer and command execution from a C2 server.
  • Defense evasion is a major focus, using signed files, very large dropper files, impersonation of legitimate installers, and obfuscated PowerShell scripts.
  • New versions show evolving attack patterns, including migration from EXE to MSI and back to EXE, with larger dropper sizes and signed droppers.
  • Persistence and execution are achieved via a PowerShell loader, startup-folder LNK persistence, and a Reflective Code Loading technique to load payloads into memory.
  • The infostealer module extracts browser data (login data, cookies, auto-fill) and decrypts it with DPAPI, exfiltrating it over encrypted channels to C2 servers.

MITRE Techniques

  • [T1189] Drive-by Compromise – The primary infection vector is SEO poisoning; “The primary infection vector of SolarMarker is SEO poisoning, which is an attack method in which threat actors create malicious websites packed with keywords and use search engine optimization techniques to make them show up prominently in search results.”
  • [T1059.001] PowerShell – Execution via obfuscated PowerShell scripts to deploy the attack and stay under the radar; “The attackers use obfuscated PowerShell scripts to deploy their attack and stay under the radar.”
  • [T1027] Obfuscated/Compressed Files and Information – The PowerShell loader is obfuscated; “obfuscated PowerShell loader script.”
  • [T1564.001] Hide Artifacts – Hiding PowerShell activity by suppressing windows; “showWindowAsync makes PowerShell windows hidden to conceal malicious activity.”
  • [T1620] Reflective Code Loading – The loader uses Reflective Code Loading to load the backdoor without dropping to disk; “The loading technique is called Reflective Code Loading.”
  • [T1116] Code Signing – Signed droppers with legitimate certificates to evade detection; “The file is signed with valid digital certificates to further hide from detection… certificate chain has been revoked.”
  • [T1547.001] Boot or Logon Autostart – Persistence via a LNK file in the Startup folder; “Achieves persistence using the lnk file in the startup folder. The target file of the lnk is the encrypted base64 payload of the SolarMarker backdoor with the random extension.”
  • [T1071.001] Web Protocols – C2 communication over HTTP POST requests; “The protocol communication is HTTP – usually POST requests.”
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration over the existing C2 channel; “exfiltrates it over an existing C2 channel.”
  • [T1555.003] Credentials from Web Browsers – Infostealer reads browser data and decrypts it with DPAPI; “acquires login data, cookies and web data (auto-fill) from web browsers … uses the API function CryptUnprotectData (DPAPI) to decrypt the credentials.”

Indicators of Compromise

  • [IP] network indicators – 84.252.95.225, 89.44.9.108, and 16 more IPs
  • [SHA256] hashes observed – af1e952b5b02ca06497e2050bd1ce8d17b9793fdb791473bdae5d994056cb21f, b4878d6b9d7462cafe81d20da148a44750aa707f4e34eae1f23f21f9e0d9afa0, and 2 more hashes
  • [Filename] droppers and payloads – Optumrx-Quantity-Limit-Prior-Authorization-Form.exe, Fedex-Domestic-Air-Waybill.exe, and 2 more
  • [Certificate] code signing certificates – Zimmi Consulting Inc (Serial Number: 06 FA 27 A1 21 CC 82 23 0C 30 13 EE 63 4B 6C 62), Divertida Creative Limited (Serial Number: 08 83 DB 13 70 21 B5 1F 3A 2A 08 A7 6A 4B C0 66), and other certificates (status: revoked)

Read more: https://unit42.paloaltonetworks.com/solarmarker-malware/