Researchers have revealed an improved version of the SolarMarker virus that includes new features aimed at improving its defensive evasion skills and remaining undetected.
“The newest version indicated an advancement from dealing with Windows Portable Executables (EXE files) to working with Windows installation package files (MSI files,” according to a report issued this month by Palo Alto Networks Unit 42 researchers. “This campaign is still in the works, and it will revert to using executable files (EXE) like it did in previous editions.”
The major infection vector for SolarMarker, also known as Jupyter, is altered search engine optimization (SEO). It’s recognised for its data theft and backdoor features, which allow attackers to steal data from web browsers and run arbitrary commands obtained from a remote server.
SolarMarker’s operators were caught utilising covert Windows Registry methods to achieve long-term persistence on compromised PCs in February 2022.
The evolving attack patterns observed by Unit 42 represent a continuation of this behaviour, with infection chains taking the shape of 250MB executables for PDF readers and utilities housed on bogus websites that are crammed with keywords and employ SEO techniques to rank them higher in search results.
The enormous file size not only helps the initial stage dropper to avoid detection by antivirus engines, but it’s also designed to download and install the legal programme while also launching a PowerShell installer that deploys the SolarMarker malware in the background.
The SolarMarker backdoor is a.NET-based payload with internal spying and vacuum system metadata capabilities, all of which is exfiltrated to a remote server over an encrypted connection.
The implant also serves as a channel for the SolarMarker’s data-stealing module to be installed on the victim system. Autofill data, cookies, passwords, and credit card information can all be sucked from web browsers by the stealer.
“The virus puts a lot of effort into defence evasion,” the researchers stated, citing strategies such as signed files, large files, impersonation of legitimate software installations, and obfuscated PowerShell scripts.