SolarMarker targets a variety of verticals, including education, government, healthcare, hospitality, and small and medium-sized enterprises predominantly in the U.S. The malware is capable of stealing data from web browsers and cryptocurrency wallets and targeting VPN and RDP configurations. The threat actors have made the malware increasingly stealthy by employing larger payloads, valid Authenticode certificates novel Windows Registry changes, and the capability to run directly from memory.

Infection vectors for SolarMarker include hosting on fake downloader sites that appear in search engine results or malicious emails. The initial infection often involves executables (EXE) and Microsoft Software Installer (MSI) files which deploy a .NET-based backdoor for downloading further payloads. Recent tactics include using Delphi-based hVNC backdoors and varying tools like Inno Setup and PS2EXE to create payloads. A new PyInstaller malware version was recently distributed using a decoy dishwasher manual.

The multi-tiered C2 infrastructure includes Tier 1 servers directly contacting victim machines which relay information to Tier 2 servers over port 443 continuing to Tier 3 and then to a central Tier 4 server. The Tier 4 server administers all downstream servers and communicates with an auxiliary server over port 8033, potentially for monitoring or backup purposes.

Evidence suggests SolarMarker may be the work of a lone actor with potential ties to Russia, as indicated by prior research. The complex infrastructure and evolving tactics underscore the ongoing threat posed by SolarMarker necessitating continuous vigilance and advanced countermeasures to mitigate its impact.

Impact

• Sensitive Data Theft
• Cryptocurrency Theft
• Security Bypass

Indicators of Compromise

SHA1

• 8a758216da9043e5d21457335c522afe037b3f0e
• e92999c0809b144c20f0ceac95e9e39cd788124a
• 783da89b0c747326e2ea35e8f0d086f18f7ac66d
• 08aa0f6394b4197774ad48e1d8e429c1d1226a37

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.