The Evolution and Analysis of SolarMarker Project Announcement

February 14, 2024

SolarMarker is one of the more common Infostealers out there. Every analyst is probably tired of seeing users clicking SEO-poisoned links and downloading some variation of Totally-Not-Malware-PDF.exe. Originally observed in 2020 as Jupyter Infostealer, SolarMarker has existed for some time. Of course, as a malware campaign that has lasted as long as it has, it has also undergone many changes and permutations over the years. This ongoing project will examine several samples and compare the techniques SolarMarker has utilized over the years.

The first few samples that will be analyzed are ps1 and exe files from 2021 to 2023. These have all been taken from Malware Bazaar’s excellent collection. The main focus of this analysis is to determine commonalities between the various samples. Following that process, the next step will be to examine historical and current attack vectors, initial compromise techniques, and campaign scope. Once the second phase is done, a final comparison will be performed, analyzing all the available data to map out the improvements and modifications that SolarMarker has made since the first detections in 2020.

SolarMarker was chosen due to its widespread presence. It’s malware that I see almost every day at work, and there is an abundance of work to lean on for analysis and historical data. It’s also something ongoing. There are still new variants of SolarMarker coming out. It’s worthwhile to theorize new evolutions and directions for the malware. It’s also an easy choice for a fun side project like this.

In the next few days, there should be a follow-up to this post looking at the first sample, which is a Jupyter backdoor PS1 script. The analysis is done, and the screenshots are ready. I just need to find time to sit and write out the post. It uses a classic registry trick along with startup persistence. Both techniques can be seen in my PowerShell Malware example repo under Persistence_001. As other techniques are covered in various samples, they will also be added to the repo. All techniques have been rewritten to be (mostly) harmless, but they will trigger Defender and any other AV/EDR present.

To see an example of a brief modern SolarMarker analysis, take a look at Playing around with Solarmarker/Jupyter InfoStealer.