Cybersecurity researchers have revealed a new version of the SolarMarker malware that includes enhancements aimed at improving the malware's defense evasion capabilities and remaining undetected.
For the first time, the latest version demonstrated an evolution from Windows Portable Executables (EXE files) to working with MSI files, Palo Alto Networks Unit 42 researchers said in a report published this month. However, this campaign is still being worked on; it is reverting back to the use of executables files (EXE)."
The primary infection vector for SolarMarker, also known as Jupyter, is manipulated search engine optimization (SEO). Backdoor features allow attackers to steal data stored in web browsers, as well as execute arbitrary commands from a remote server, and it is known for this.
An investigation into SolarMarker's long-term persistence on compromised systems in February 2022 found the company's operators employing stealthy Windows Registry tricks.
According to Unit 42, the infection chains that have been discovered are a continuation of this behavior, with 250MB executables for PDF readers and utility programs being hosted on fraudulent websites that are packed with keywords and use SEO techniques to rank them higher in the search engines.
As a result of its large file size, the initial stage dropper is able to evade detection by antivirus engines, as well as download and install a legitimate program while simultaneously triggering the execution of a PowerShell installer that deploys SolarMarker malware.
All of the system metadata and internal reconnaissance that the SolarMarker backdoor is capable of performing is sent over an encrypted channel to a remote server.
SolarMarker's information-stealing module can be installed on the victim machine via the implant. Password and credit card information, as well as autofill data, are all susceptible to the stealer's prying eyes.
In order to evade detection, the malware uses techniques like signed files, large files, impersonating legitimate software installations, and obfuscated PowerShell scripts, according to the research.
Post a Comment
Your suggestions and comments are welcome