The SolarMarker malware, a persistent and sophisticated threat known by several names including Deimos and Jupyter Infostealer, has developed a multi-tiered infrastructure designed to thwart law enforcement takedown attempts. According to a recent report by Recorded Future, this infrastructure consists of at least two clusters: a primary one for active operations and a secondary one likely used for testing new strategies or targeting specific regions. This separation enables the malware to adapt and respond effectively to countermeasures, making it particularly difficult to eradicate.
Since its emergence in September 2020, SolarMarker has continuously evolved, enhancing its stealth capabilities and increasing its payload sizes. It leverages valid Authenticode certificates and novel Windows Registry changes to avoid detection, and it can run directly from memory rather than disk. SolarMarker primarily targets sectors such as education, government, healthcare, hospitality, and small to medium-sized enterprises. Infection methods include hosting the malware on bogus downloader sites and using SEO poisoning or malicious email links to lure victims.
SolarMarker’s infection process begins with executables or Microsoft Software Installer files, which deploy a .NET-based backdoor responsible for downloading additional payloads to facilitate information theft. The malware also employs alternate sequences involving counterfeit installers that drop a legitimate application or decoy file while launching a PowerShell loader to execute the backdoor in memory. Recently, SolarMarker attacks have also included a Delphi-based hVNC backdoor called SolarPhantom, enabling remote control of victim machines without their knowledge.
Recorded Future’s investigation into the malware’s command-and-control (C2) servers revealed a multi-tiered architecture with four levels. Tier 1 servers communicate directly with victim machines and connect to Tier 2 servers via port 443. This communication pattern continues up to Tier 4 servers, which serve as the central administration point for downstream servers. Additionally, Tier 4 servers communicate with an auxiliary server via port 8033, possibly for monitoring purposes. The sophisticated structure of SolarMarker underscores the significant challenge it poses to cybersecurity efforts.
Reference:
