SolarMarker
Type of Malware
Infostealer
Country of Origin
Russia
Date of initial activity
2020
Targeted Countries
United States
United Kingdom
Canada
Australia
India
Germany
France
Japan
South Korea
Brazil
Addittional Names
Jupyter, Polazert, Yellow Cockatoo
Associated Groups
APT28 (Fancy Bear)
APT29 (Cozy Bear)
Charming Kitten
Motivation
Finantial gain. To steal vast amounts of data that could be sold on criminal forums, leading to further exploitation and attacks
Attack Vectors
Jupyter infections use SEO poisoning and search engine redirects to encourage malicious file downloads. Common delivery methods include: malicious websites, drive-by downloads, and phishing emails. Users may unknowingly download Jupyter Infostealer when visiting compromised websites or by clicking on malicious ads. The most common applications used to download this malware are: Firefox, Chrome, and Edge web browsers.
Targeted Systems
Windows
Tools
Cobalt Strike
Metasploit Framework
PowerShell
Rclone
Overview
SolarMarker, a notorious piece of malware known for its information-stealing capabilities, has been evolving its multi-tiered infrastructure since its emergence in 2021. Also referred to as Yellow Cockatoo, Polazert, and Jupyter Infostealer, this malware targets various sectors, including education, healthcare, and small to medium-sized enterprises (SMEs). To evade detection, SolarMarker employs advanced techniques such as Authenticode certificates and large zip files.
Targets
Multiple sectors, including education, healthcare, government, hospitality, and small and medium-sized enterprises. The malware targets both individuals and organizations
How they operate
Since its inception in 2020, SolarMarker has demonstrated remarkable sophistication and resilience. The threat actors behind this malware have developed a multi-tiered infrastructure capable of quick reconstruction post-compromise. This agility allows SolarMarker to persist despite efforts from law enforcement and cybersecurity professionals to disrupt its operations. SolarMarker’s evasion techniques are particularly noteworthy. The use of Authenticode certificates gives a veneer of legitimacy to its malicious payloads, making it harder for security systems to identify and block them. Additionally, by utilizing large zip files, SolarMarker can bypass traditional antivirus software that may struggle to thoroughly scan such extensive files. The malware’s operations are structured around a layered infrastructure comprising at least two clusters: a primary cluster for active operations and a secondary cluster likely used for testing new strategies or targeting specific industries or regions. This separation enhances SolarMarker’s adaptability and resilience, complicating efforts to detect and eradicate it. Recorded Future’s Network Intelligence has identified a significant number of victims across multiple sectors, including education, healthcare, government, hospitality, and SMEs. SolarMarker targets both individuals and organizations, exfiltrating vast amounts of data that can be sold on criminal forums, leading to further exploitation and subsequent attacks.
MITRE Tactics and Techniques
TA0001: Initial Access TA0002: Execution TA0003: Persistence TA0005: Defense Evasion TA0006: Credential Access TA0007: Discovery TA0009: Collection TA0010: Exfiltration
Impact / Significant Attacks
Attack on Educational Institutions: Targeted multiple educational institutions to steal sensitive data and disrupt operations. Healthcare Sector Breach: Infiltrated healthcare organizations, leading to the exposure of patient records and other sensitive information. SME Compromise: Conducted attacks on small and medium-sized enterprises, aiming to extract financial and operational data. Government Agency Intrusion: Targeted government entities to gather classified or sensitive governmental information.
References
The post SolarMarker (Infostealer) – Malware first appeared on CyberMaterial.