Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


SolarMarker Malware Changes Delivery Tactics

SolarMarker is a multi-stage malware threat that includes an information stealer component and a general-purpose backdoor which has been targeting businesses and individuals for over a year and a half. Recent changes in the malware’s design and new command and control infrastructure prove that it remains an active threat that has evolved over time to avoid detection by security products and defense teams.

Some of the new techniques reported by researchers at Palo Alto Unit 42 include switching from MSI Windows Installer packages to EXE files as the initial delivery vector, signing the executable files using valid software signing certificates, making the files very large (over 250MB) and embedding legitimate software inside the large EXE files alongside the malware code to fool anti-virus scanners. The new version of SolarMarker still uses PowerShell, as the older version did, but now the obfuscated PowerShell script only comes into play when the victim machine reboots, as part of the persistence mechanism. The latest version continues to communicate with its Command and Control (C2) server every 60 seconds using HTTP with AES-encrypted messages.

The threat actors behind SolarMarker campaigns use Search Engine Optimization (SEO) poisoning to direct unsuspecting victims to malicious websites created by the threat actors which disguise themselves as official download channels for the software package that the person was searching for. Because the malware also installs the legitimate software, people who download and install SolarMarker may be completely unaware that they got more than they bargained for.

Analyst Notes

The technique of using SEO poisoning for common software search terms (such as PDF viewer software) is not highly targeted toward a specific industry vertical, so all industries should be aware of this threat and how to defend against it. Restricting employees from downloading installer packages (whether they are EXE or MSI) from the Internet without review by IT or security personnel is a good policy to prevent this and other malware or unwanted software from running on business computers.

Although the techniques used by SolarMarker may be effective at evading anti-virus file scanning solutions, using behavioral detections to spot unusual PowerShell script content, persistence mechanisms, or programs that communicate with remote servers using a regularly repeating pattern (e.g., every 60 seconds) can all be effective strategies to catch many forms of malware, including this one.

Binary Defense’s Security Operations Task Force has caught several SolarMarker installations in the early stages and stopped them from becoming more serious incidents.