The SolarMarker malware showed signs of an improved evasion tactic

SolarMarker Malware Improved Evasion Tactic

Researchers have provided a thorough discussion regarding the newly upgraded strain of the SolarMarker malware. Based on reports, the malware operators of the SolarMarker have now included improvements, along with an upgraded defence evasion mechanism to remain undetected and bypass security solutions.

The operators of this new malware variant use stealthy Windows Registry tactics to acquire a persistence on the infected systems and remain hidden for long extensive periods.

Moreover, the malicious threat actors that run SolarMarker used signed files, large files, spoofing of authentic software, and obfuscated PowerShell scripts for AV solutions anti-detection. Using these several tools indicates that the malware wants to stay on its targeted device for as long as they wish.


SolarMarker threat actors used search engines for malware spread and propagation vectors.


The infection chain of SolarMarker starts by utilising the 250MB [.]exe file for a PDF reader and utilities attached on fake websites. These PDFs endorsed by the threat actors are packed with keywords for SEO poisoning tactics to improve their ranking in several search engines or browsers.

The large file size of the [.]exe enables the initial stage dropper to evade automated analysis by antivirus solutions. The [.]exe file also downloads and installs an authentic program to avoid any suspicion that will trigger some researchers to analyse the file.

In another attack scenario, the malware initiates a PowerShell installer to launch and run additional components of the SolarMarker malware variant. The cyberattack had also used two specific details of SolarMarker, such as a backdoor and an infostealer, to execute multiple operations.

The backdoor is now packed by its developers with the ability to carry out internal retrieval operations, gather the system metadata, and upload it to the C2 server over a secured channel.

In addition, the backdoor implant launches the SolarMarker info stealing module on affected devices. The stealer can collect autofill data, cookies, passwords, and credit card information from browsers.

The threat actors that operate the SolarMarker campaign have put a lot of their knowledge and effort into hiding their malware. Experts recommend that organisations stay updated with the latest trends in threat intelligence and strategies. This recommendation could allow the users to implement better countermeasures against such threats.

About the author

Leave a Reply