Solarmarker

SolarMarker, also known as Yellow Cockatoo, Polazert, and Jupyter Infostealer, is a sophisticated malware designed to steal information. It has been evolving since 2020 and has been active in various campaigns since 2021. The malware relies heavily on web delivery, using search engine optimization (SEO) tricks to fool targets into downloading malicious payloads. Notably, in 2022, SolarMarker was involved in an "SEO poisoning" campaign, demonstrating the increasing sophistication of its operations. The core of SolarMarker's operations lies in its layered infrastructure, which consists of two clusters: a primary one for active operations and a secondary one likely used for testing new strategies or targeting specific industries or regions. This multi-tiered structure allows the malware to adapt and evolve, making it more challenging to detect and mitigate. The malware also employs advanced evasion techniques such as Authenticode certificates, which lend an air of legitimacy to its malicious payloads, and uses large zip files to bypass antivirus software. In addition to its own campaigns, SolarMarker has been used in conjunction with other malicious toolkits and malware families. For instance, it was dropped as part of the Domen toolkit and sczriptzzbn campaigns, leading to the NetSupport Remote Access Tool (RAT). Furthermore, it was utilized by a HIVE SPIDER affiliate in an attack against a telecommunications sector entity in January 2023. To defend against SolarMarker, it is recommended to enforce application allow-lists to prevent the downloading of seemingly legitimate files containing malware.