Researchers have warned users to be wary of the Solarmarker malware which currently has active campaigns in the wild. While the malware isn’t new, it has now evolved to function as a robust information stealer and keylogger.
What is Solarmarker Malware
Researchers from Cisco Talos have shared a detailed report mentioning their findings of Solarmarker malware. Specifically, they found the malware active in the wild aiming to steal users’ information such as login credentials.
In brief, they found the new malware actively distributed in recent campaigns from sophisticated threat actors. The malware that previously surfaced online with different properties has now evolved as a potent infostealer and keylogger.
For these functionalities, the malware has brought up two modifications. The first is the replacement of the staging module “d.m” with another one named “Mars”. The staging component basically paves the way for the second component “Jupyter”. Also, it’s responsible for dropping all subsequent files on the victim system and the execution of processes.
Whereas, the “Jupyter” basically serves as an information stealer, such as pilfering credentials and information typed in online forms.
Upon stealing the data, the malware sends the information to its C&C via HTTP POST requests.
Also, the researchers noticed another previously unidentified module dubbed “Uran” that acts as a keylogger.
More technical information about the malware and its modules is available in the researchers’ report.
Where does Solarmarker originate?
After gaining attention during previous campaigns, Solarmarker has been analyzed by numerous researchers. However, the malware appears highly complicated as analyzing it still brings up new information.
Regarding the threat actors, Cisco believes them to have Russian origin. As stated,
Static and dynamic analysis of Solarmarker’s droppers revealed attributes in the executables’ resource section that indicate the files were created on a system with Russian language support.
For instance, the names “Uran” and “Jupyter” are apparently the Russian transliterations for “Uranus” and “Jupiter”.
Even if they aren’t directly Russians, the threat actors “at least designed it to look that way”.
Also, the malware bears tremendous potential for further upgrades that might make it even more dangerous in the future.
Nonetheless, the researchers believe that mitigating attacks from this malware isn’t difficult since it pretty much requires the victim users’ actions to download and execute the malicious file. Therefore, organizations can ensure training their staff for cybersecurity awareness to identify such threats.
Also, applying multi-factor authentication on accounts can significantly reduce hacking attacks even in case of password theft.
Besides, implementing regular vulnerability scans and penetration testing via professionals will help prevent such issues from become a problem.