SolarMarker | |
Type of Malware | Infostealer |
Country of Origin | Russia |
Date of initial activity | 2020 |
Targeted Countries | United States |
Addittional Names | Jupyter, Polazert, Yellow Cockatoo |
Associated Groups | APT28 (Fancy Bear) |
Motivation | Finantial gain. To steal vast amounts of data that could be sold on criminal forums, leading to further exploitation and attacks |
Attack Vectors | Jupyter infections use SEO poisoning and search engine redirects to encourage malicious file downloads. Common delivery methods include: malicious websites, drive-by downloads, and phishing emails. Users may unknowingly download Jupyter Infostealer when visiting compromised websites or by clicking on malicious ads. The most common applications used to download this malware are: Firefox, Chrome, and Edge web browsers. |
Targeted Systems | Windows |
Tools | Cobalt Strike |
Overview
SolarMarker, a notorious piece of malware known for its information-stealing capabilities, has been evolving its multi-tiered infrastructure since its emergence in 2021. Also referred to as Yellow Cockatoo, Polazert, and Jupyter Infostealer, this malware targets various sectors, including education, healthcare, and small to medium-sized enterprises (SMEs). To evade detection, SolarMarker employs advanced techniques such as Authenticode certificates and large zip files.
Targets
Multiple sectors, including education, healthcare, government, hospitality, and small and medium-sized enterprises. The malware targets both individuals and organizations
How they operate
Since its inception in 2020, SolarMarker has demonstrated remarkable sophistication and resilience. The threat actors behind this malware have developed a multi-tiered infrastructure capable of quick reconstruction post-compromise. This agility allows SolarMarker to persist despite efforts from law enforcement and cybersecurity professionals to disrupt its operations.
SolarMarker’s evasion techniques are particularly noteworthy. The use of Authenticode certificates gives a veneer of legitimacy to its malicious payloads, making it harder for security systems to identify and block them. Additionally, by utilizing large zip files, SolarMarker can bypass traditional antivirus software that may struggle to thoroughly scan such extensive files.
The malware’s operations are structured around a layered infrastructure comprising at least two clusters: a primary cluster for active operations and a secondary cluster likely used for testing new strategies or targeting specific industries or regions. This separation enhances SolarMarker’s adaptability and resilience, complicating efforts to detect and eradicate it.
Recorded Future’s Network Intelligence has identified a significant number of victims across multiple sectors, including education, healthcare, government, hospitality, and SMEs. SolarMarker targets both individuals and organizations, exfiltrating vast amounts of data that can be sold on criminal forums, leading to further exploitation and subsequent attacks.
MITRE Tactics and Techniques
TA0001: Initial Access
TA0002: Execution
TA0003: Persistence
TA0005: Defense Evasion
TA0006: Credential Access
TA0007: Discovery
TA0009: Collection
TA0010: Exfiltration
Impact / Significant Attacks
Attack on Educational Institutions: Targeted multiple educational institutions to steal sensitive data and disrupt operations.
Healthcare Sector Breach: Infiltrated healthcare organizations, leading to the exposure of patient records and other sensitive information.
SME Compromise: Conducted attacks on small and medium-sized enterprises, aiming to extract financial and operational data.
Government Agency Intrusion: Targeted government entities to gather classified or sensitive governmental information.
