The persistent risk actors behind the SolarMarker information-stealing malware have established a multi-tiered infrastructure to complicate legislation enforcement takedown efforts, new findings from Recorded Future present.
“The core of SolarMarker’s operations is its layered infrastructure, which consists of at least two clusters: a primary one for active operations and a secondary one likely used for testing new strategies or targeting specific regions or industries,” the corporate mentioned in a report revealed final week.
“This separation enhances the malware’s ability to adapt and respond to countermeasures, making it particularly difficult to eradicate.”
SolarMarker, recognized by the names Deimos, Jupyter Infostealer, Polazert, and Yellow Cockatoo, is a classy risk that has exhibited a steady evolution since its emergence in September 2020. It has the aptitude to steal knowledge from a number of net browsers and cryptocurrency wallets, in addition to goal VPN and RDP configurations.
Among the many prime focused verticals are schooling, authorities, healthcare, hospitality, and small and medium-sized enterprises, per knowledge gathered since September 2023. This contains distinguished universities, authorities departments, world lodge chains, and healthcare suppliers. A majority of the victims are positioned within the U.S.
Over time, the malware authors have targeted their growth efforts on making it extra stealthy via elevated payload sizes, using legitimate Authenticode certificates, novel Home windows Registry adjustments, and the power to run it straight from reminiscence somewhat than disk.
An infection pathways usually contain internet hosting SolarMarker on bogus downloader websites promoting fashionable software program that may be visited by a sufferer both inadvertently or attributable to SEO (search engine optimization) poisoning, or through a hyperlink in a malicious e mail.
The preliminary droppers take the type of executables (EXE) and Microsoft Software program Installer (MSI) recordsdata that, when launched, result in the deployment of a .NET-based backdoor that is accountable for downloading further payloads for facilitating info theft.
Alternate sequences leverage the counterfeit installers to drop a authentic utility (or a decoy file), whereas concurrently launching a PowerShell loader for delivering and executing the SolarMarker backdoor in reminiscence.
SolarMarker assaults over the previous 12 months have additionally concerned the supply of a Delphi-based hVNC backdoor known as SolarPhantom that enables for remotely controlling a sufferer machine with out their information.
“In recent cases, SolarMarker’s threat actor has alternated between Inno Setup and PS2EXE tools to generate payloads,” cybersecurity agency eSentire famous in February 2024.
As not too long ago as two months in the past, a brand new PyInstaller model of the malware was noticed within the wild propagated utilizing a dishwasher handbook as a decoy, in line with a malware researcher who goes by the identify Squiblydoo and has extensively documented SolarMarker through the years.
There may be proof to recommend that SolarMarker is the work of a lone actor of unknown provenance, though prior analysis from Morphisec has alluded to a doable Russian connection.
Recorded Future’s investigation into the server configurations linked to the command-and-control (C2) servers has uncovered a multi-tiered structure that’s a part of two broad clusters, one among which is probably going used for testing functions or for focusing on particular areas or industries.
The layered infrastructure features a set of Tier 1 C2 servers which might be in direct contact with sufferer machines. These servers connect with a Tier 2 C2 server through port 443. Tier 2 C2 servers, equally talk with Tier 3 C2 servers through port 443, and Tier 3 C2 servers persistently connect with Tier 4 C2 servers through the identical port.
“The Tier 4 server is considered the central server of the operation, presumably used for effectively administering all downstream servers on a long-term basis,” the cybersecurity agency mentioned, including it additionally noticed the Tier 4 C2 server speaking with one other “auxiliary server” through port 8033.
“Although the precise purpose of this server remains unknown, we speculate that it is used for monitoring, possibly serving as a health check or backup server.”
