SolarMarker malware remains was a common threat but nothing has been published or widely shared about the actor’s actions or objectives—until now. Based on original findings from monitoring an infected computer for months, this blog-post discloses—for the first time—the financial fraud carried out by the SolarMarker actor group.
Category Archives: malware
DeceptionPro: getting ahead of cybercrime
DeceptionPro allows you to monitor cybercrime by creating realistic environments, allowing front row seat to attacker behaviors and post-exploitation activity.
October 2023 SolarMarker
SolarMarker regularly tops the list of threats seen by organizations like VMWare and Red Canary. This post will help you recognize SolarMarker, if you see it within your organization.
Understanding PE Bloat with Malcat
This post is an introduction to the tool for others and demonstrates how the tool can be used to understand portable executables and bloated resources.
Solarmarker: The Old is New
The purpose of this blogpost is to document the PowerShell used by Solarmarker. The PowerShell was first observed between Feb 2022 until May 2022 and then resurfaced in September 2022. The goal of this post is to publish information regarding the PowerShell to enable others to identify and understand what the PowerShell is doing. DetectingContinue reading “Solarmarker: The Old is New”
SolarMarker Bloat
The goal of this post is to document SolarMarker malware as seen between May 2022 and September 2022. This malware is also known under other names (Jupyter Infostealer, YellowCockatoo, Polazert). If you are interested in earlier forms of the malware, check out my previous blog posts. The TLDR on SolarMarker is that it has beenContinue reading “SolarMarker Bloat”
Solarmarker: May 2022 Persistence
The purpose of this post is to document the new persistence methods used by Solarmarker. The previous persistence methods were used from July 2021 until May 2022 (read about those here, here and here). Whether this persistence is short lived or is used for the next year, it is my desire to make it publiclyContinue reading “Solarmarker: May 2022 Persistence”
Review: Practical Malware Analysis and Triage (PMAT)
I have often recommended the book Practical Malware Analysis (PMA) by Michael Sikorski and Andrew Honig; however, the book was originally published in 2012 and there have been no updates to the core book, so if I recommend the book, I always have to give caveats regarding the age and the age of some ofContinue reading “Review: Practical Malware Analysis and Triage (PMAT)”
Solarmarker: by any other name
Payload SHA256: c61348ab7e5ffeb9ba5d1077b13c49bde4d841c5ada9aBackdoor SHA256: 0e673eb418c87268aa3bcb262e8e03a3f719a95a8e118ba99515c57c9aa02d38Backdoor C2: 149.255.35.179 Solarmarker (AKA JupyterInfostealer AKA YellowCockatoo AKA Polazert) is still a trending malware. According to Expel.io the malware accounted for 33% of their identified malicious payloads in September 2021. Several companies have published write-ups: they often dig deep and the writeups and detection methods often fall out of dateContinue reading “Solarmarker: by any other name”
Solarmarker: Registry Key Persistence Walkthrough
Binary: 1197067d50dd5dd5af12e715e2cc00c0ba1ff738173928bbcfbbad1ee0a52f21Infostealer: 6852699e4420f08ab63a9a4e0b126d73d0ac3d7e21da06ad77bc3fe67c9a2e1fBackdoor: 8c35f2a78e366abf2450d5882c49c69ee5cc01dba3743938b45cedc2b5dee3a3 This is a follow up blogpost regarding the malware known as Solarmarker / Jupyter Infostealer / Yellow Cockatoo / Polazert. This post can be read on its own but consider reading my first post on Solarmarker that discusses the persistence mechanism for April – May and my second post for informationContinue reading “Solarmarker: Registry Key Persistence Walkthrough”
Squiblydoo.blog 