SolarMarker is a multi-stage malware threat that includes an information stealer component and a general-purpose backdoor which has been targeting businesses and individuals for over a year and a half. Recent changes in the malware’s design and new command and control infrastructure prove that it remains an active threat that has evolved over time to avoid detection by security products and defense teams.
Some of the new techniques reported by researchers at Palo Alto Unit 42 include switching from MSI Windows Installer packages to EXE files as the initial delivery vector, signing the executable files using valid software signing certificates, making the files very large (over 250MB) and embedding legitimate software inside the large EXE files alongside the malware code to fool anti-virus scanners. The new version of SolarMarker still uses PowerShell, as the older version did, but now the obfuscated PowerShell script only comes into play when the victim machine reboots, as part of the persistence mechanism. The latest version continues to communicate with its Command and Control (C2) server every 60 seconds using HTTP with AES-encrypted messages.
The threat actors behind SolarMarker campaigns use Search Engine Optimization (SEO) poisoning to direct unsuspecting victims to malicious websites created by the threat actors which disguise themselves as official download channels for the software package that the person was searching for. Because the malware also installs the legitimate software, people who download and install SolarMarker may be completely unaware that they got more than they bargained for.