SYMBOLCOMMON_NAMEaka. SYNONYMS
win.solarmarker (Back to overview)

solarmarker

aka: Jupyter, Polazert, Yellow Cockatoo

Unit 42 notes that they identified a new version of SolarMarker, a malware family known for its infostealing and backdoor capabilities, mainly delivered through search engine optimization (SEO) manipulation to convince users to download malicious documents.

Some of SolarMarker’s capabilities include the exfiltration of auto-fill data, saved passwords and saved credit card information from victims’ web browsers. Besides capabilities typical for infostealers, SolarMarker has additional capabilities such as file transfer and execution of commands received from a C2 server.

The malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts.

References
2023-11-06VMWare Carbon BlackSwee Lai Lee, Bria Beathley, Abe Schneider, Alan Ngo
@online{lee:20231106:jupyter:58d6320, author = {Swee Lai Lee and Bria Beathley and Abe Schneider and Alan Ngo}, title = {{Jupyter Rising: An Update on Jupyter Infostealer}}, date = {2023-11-06}, organization = {VMWare Carbon Black}, url = {https://blogs.vmware.com/security/2023/11/jupyter-rising-an-update-on-jupyter-infostealer.html}, language = {English}, urldate = {2023-11-17} } Jupyter Rising: An Update on Jupyter Infostealer
solarmarker
2023-06-08Twitter (@embee_research)Embee_research
@online{embeeresearch:20230608:practical:61d0677, author = {Embee_research}, title = {{Practical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries}}, date = {2023-06-08}, organization = {Twitter (@embee_research)}, url = {https://embee-research.ghost.io/shodan-censys-queries/}, language = {English}, urldate = {2023-06-09} } Practical Queries for Identifying Malware Infrastructure: An informal page for storing Censys/Shodan queries
Amadey AsyncRAT Cobalt Strike QakBot Quasar RAT Sliver solarmarker
2022-09-27SquiblydooSquiblydoo
@online{squiblydoo:20220927:solarmarker:8693ea8, author = {Squiblydoo}, title = {{Solarmarker: The Old is New}}, date = {2022-09-27}, organization = {Squiblydoo}, url = {https://squiblydoo.blog/2022/09/27/solarmarker-the-old-is-new/}, language = {English}, urldate = {2023-01-18} } Solarmarker: The Old is New
solarmarker
2022-04-27eSentireeSentire Threat Response Unit (TRU)
@online{tru:20220427:esentire:64541e7, author = {eSentire Threat Response Unit (TRU)}, title = {{eSentire Threat Intelligence Malware Analysis: SolarMarker}}, date = {2022-04-27}, organization = {eSentire}, url = {https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-solarmarker}, language = {English}, urldate = {2022-05-05} } eSentire Threat Intelligence Malware Analysis: SolarMarker
solarmarker
2022-04-15Center for Internet SecurityCIS
@online{cis:20220415:top:62c8245, author = {CIS}, title = {{Top 10 Malware March 2022}}, date = {2022-04-15}, organization = {Center for Internet Security}, url = {https://www.cisecurity.org/insights/blog/top-10-malware-march-2022}, language = {English}, urldate = {2023-02-17} } Top 10 Malware March 2022
Mirai Shlayer Agent Tesla Ghost RAT Nanocore RAT SectopRAT solarmarker Zeus
2022-04-08Palo Alto Networks Unit 42Shimi Cohen, Inbal Shalev, Irena Damsky
@online{cohen:20220408:new:6c99a64, author = {Shimi Cohen and Inbal Shalev and Irena Damsky}, title = {{New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns}}, date = {2022-04-08}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/solarmarker-malware/}, language = {English}, urldate = {2022-04-14} } New SolarMarker (Jupyter) Campaign Demonstrates the Malware’s Changing Attack Patterns
solarmarker
2022-02-01SophosGabor Szappanos, Sean Gallagher
@online{szappanos:20220201:solarmarker:597b088, author = {Gabor Szappanos and Sean Gallagher}, title = {{SolarMarker campaign used novel registry changes to establish persistence}}, date = {2022-02-01}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/02/01/solarmarker-campaign-used-novel-registry-changes-to-establish-persistence/}, language = {English}, urldate = {2022-02-02} } SolarMarker campaign used novel registry changes to establish persistence
solarmarker
2022-01-13BlackberryThe BlackBerry Research & Intelligence Team
@online{team:20220113:threat:8a5c973, author = {The BlackBerry Research & Intelligence Team}, title = {{Threat Thursday: Jupyter Infostealer is a Master of Disguise}}, date = {2022-01-13}, organization = {Blackberry}, url = {https://blogs.blackberry.com/en/2022/01/threat-thursday-jupyter-infostealer-is-a-master-of-disguise}, language = {English}, urldate = {2022-01-24} } Threat Thursday: Jupyter Infostealer is a Master of Disguise
solarmarker
2021-10-28PRODAFT Threat IntelligencePRODAFT
@techreport{prodaft:20211028:solarmarker:6c54c24, author = {PRODAFT}, title = {{Solarmarker In-Depth Analysis}}, date = {2021-10-28}, institution = {PRODAFT Threat Intelligence}, url = {https://www.prodaft.com/m/reports/Solarmarker_TLPWHITEv2.pdf}, language = {English}, urldate = {2021-11-03} } Solarmarker In-Depth Analysis
solarmarker
2021-09-21MorphisecNadav Lorber
@online{lorber:20210921:new:117cc51, author = {Nadav Lorber}, title = {{New Jupyter Evasive Delivery through MSI Installer}}, date = {2021-09-21}, organization = {Morphisec}, url = {https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer}, language = {English}, urldate = {2021-09-22} } New Jupyter Evasive Delivery through MSI Installer
solarmarker
2021-08-09Minerva LabsMinerva Labs
@online{labs:20210809:thwarting:cff4148, author = {Minerva Labs}, title = {{Thwarting Jupyter Stealer}}, date = {2021-08-09}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/new-iocs-of-jupyter-stealer}, language = {English}, urldate = {2021-12-17} } Thwarting Jupyter Stealer
solarmarker
2021-07-29Talos IntelligenceAndrew Windsor, Chris Neal
@online{windsor:20210729:talos:6cba25b, author = {Andrew Windsor and Chris Neal}, title = {{Talos Spotlight: Solarmarker}}, date = {2021-07-29}, organization = {Talos Intelligence}, url = {https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more}, language = {English}, urldate = {2021-09-02} } Talos Spotlight: Solarmarker
solarmarker
2021-07-16Binary DefenseBinary Defense
@online{defense:20210716:marsdeimos:c0e4144, author = {Binary Defense}, title = {{Mars-Deimos: From Jupiter to Mars and Back again (Part Two)}}, date = {2021-07-16}, organization = {Binary Defense}, url = {https://www.binarydefense.com/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/}, language = {English}, urldate = {2021-07-24} } Mars-Deimos: From Jupiter to Mars and Back again (Part Two)
solarmarker
2021-07-06Binary DefenseBinary Defense
@online{defense:20210706:marsdeimos:ebe87c7, author = {Binary Defense}, title = {{Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)}}, date = {2021-07-06}, organization = {Binary Defense}, url = {https://www.binarydefense.com/mars-deimos-solarmarker-jupyter-infostealer-part-1/}, language = {English}, urldate = {2021-07-24} } Mars-Deimos: SolarMarker/Jupyter Infostealer (Part 1)
solarmarker
2021-06-20SquiblydooSquiblydoo
@online{squiblydoo:20210620:marsdeimos:f574072, author = {Squiblydoo}, title = {{Mars-Deimos: From Jupiter to Mars and Back again (Part Two)}}, date = {2021-06-20}, organization = {Squiblydoo}, url = {https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/}, language = {English}, urldate = {2021-12-17} } Mars-Deimos: From Jupiter to Mars and Back again (Part Two)
solarmarker
2021-06-11Twitter (@MsftSecIntel)Microsoft Security Intelligence
@online{intelligence:20210611:solarmarkerjupyter:86c4f14, author = {Microsoft Security Intelligence}, title = {{Tweet on solarmarker/Jupyter malware}}, date = {2021-06-11}, organization = {Twitter (@MsftSecIntel)}, url = {https://twitter.com/MsftSecIntel/status/1403461397283950597}, language = {English}, urldate = {2021-06-21} } Tweet on solarmarker/Jupyter malware
solarmarker
2021-04-13eSentireeSentire
@online{esentire:20210413:hackers:bc5d7af, author = {eSentire}, title = {{Hackers Flood the Web with 100,000 Malicious Pages, Promising Professionals Free Business Forms, But Delivering Malware, Reports eSentire}}, date = {2021-04-13}, organization = {eSentire}, url = {https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire}, language = {English}, urldate = {2021-04-16} } Hackers Flood the Web with 100,000 Malicious Pages, Promising Professionals Free Business Forms, But Delivering Malware, Reports eSentire
solarmarker
2021-02-08CrowdStrikeTom Simpson, Tom Henry, Seb Walla
@online{simpson:20210208:blocking:c4fb4be, author = {Tom Simpson and Tom Henry and Seb Walla}, title = {{Blocking SolarMarker Backdoor}}, date = {2021-02-08}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/}, language = {English}, urldate = {2021-02-09} } Blocking SolarMarker Backdoor
solarmarker
2020-12-20Security MagicSecurity Magic
@online{magic:20201220:tracking:9d75102, author = {Security Magic}, title = {{Tracking Jupyter Malware}}, date = {2020-12-20}, organization = {Security Magic}, url = {https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html}, language = {English}, urldate = {2021-06-29} } Tracking Jupyter Malware
solarmarker
2020-11-12MorphisecArnold Osipov
@online{osipov:20201112:threat:05d4acd, author = {Arnold Osipov}, title = {{Threat Profile: JUPYTER INFOSTEALER}}, date = {2020-11-12}, organization = {Morphisec}, url = {https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction}, language = {English}, urldate = {2021-12-17} } Threat Profile: JUPYTER INFOSTEALER
solarmarker

There is no Yara-Signature yet.