SolarMarker Malware Evolves: Multi-Layered Infrastructure Thwarts Law Enforcement

Researchers at Recorded Future recently discovered that the creators of the SolarMarker malware have developed a multi-layered infrastructure to complicate efforts by law enforcement.

“The core of SolarMarker’s operations is its layered infrastructure, which consists of at least two clusters: a primary one for active operations and a secondary one likely used for testing new strategies or targeting specific regions or industries,” the company’s report states.

This structure allows SolarMarker to adapt and respond to countermeasures, making its removal particularly challenging. Known also as Deimos, Jupyter Infostealer, Polazert, and Yellow Cockatoo, the malware has continuously evolved since its emergence in September 2020.

SolarMarker malware

SolarMarker is capable of stealing data from various web browsers, cryptocurrency wallets, and targeting VPN and RDP configurations. The most affected sectors include education, government, healthcare, hospitality, and small to medium-sized businesses. Most victims are located in the United States.

The creators of SolarMarker are constantly enhancing its stealth capabilities by increasing payload size, using legitimate Authenticode certificates, and implementing new changes in the Windows registry. Additionally, the malware can be executed directly from the memory of the infected device, rather than from the disk.

Infection typically occurs through fake download sites promoting popular software or through links in malicious emails. The primary loaders are executable files (EXE) and Microsoft Software Installer (MSI) files that, when launched, deploy a .NET-based backdoor to download additional payloads.

Alternative attack sequences involve tampered installers that simultaneously launch a PowerShell loader to deliver and execute SolarMarker in memory. Last year, there were also attacks using a Delphi-based backdoor called SolarPhantom, which allows remote control of the victim’s computer.

According to eSentire, in February 2024, the SolarMarker threat included the use of Inno Setup and PS2EXE tools to generate payloads. More recently, a PyInstaller-based version was discovered, distributed using a dishwasher manual as bait. There is speculation that SolarMarker might be the work of a lone cybercriminal of unknown origin.

New data on this threat highlights the complexity and sophistication of SolarMarker’s infrastructure, making the fight against this malware particularly arduous.