SolarMarker malware: A Sophisticated, Evolving Threat to Multiple Sectors
The SolarMarker malware, also known as Deimos, Jupyter Infostealer, Polazert, and Yellow Cockatoo, is a sophisticated information-stealing threat with a multi-tiered infrastructure that complicates law enforcement takedown efforts.
Recent findings from Recorded Future reveal that SolarMarker’s operations are based on a layered infrastructure with at least two clusters: a primary one for active operations and a secondary one likely used for testing or targeting specific regions and industries.
Since its emergence in September 2020, SolarMarker has continuously evolved and is capable of stealing data from web browsers, cryptocurrency wallets, VPN, and RDP configurations. The malware primarily targets sectors such as education, government, healthcare, hospitality, and small and medium-sized enterprises, with most victims located in the U.S.
The malware authors have focused on enhancing stealth through increased payload sizes, valid Authenticode certificates, novel Windows Registry changes, and the ability to run directly from memory. Infection pathways typically involve hosting SolarMarker on bogus downloader sites or via malicious email links, leading to the deployment of a .NET-based backdoor for additional payload delivery.
SolarMarker attacks have also utilized a Delphi-based hVNC backdoor called SolarPhantom for remote control of victim machines. Recent developments include switching between Inno Setup and PS2EXE tools, and using a dishwasher manual as a decoy for a new PyInstaller version. The malware’s multi-tiered C2 architecture features a central Tier 4 server for administering downstream servers and an auxiliary server for monitoring or backup purposes.
