Solarmarker
Also known as: Jupyter, Mars, Uranus, Yellow Cockatoo, Polazert
Category: Malware
Type: Trojan, Stealer
Platform: Microsoft Windows
Damage potential: Stealing information, like login credentials and form submission data from browsers, deploying additional malware, gaining full access to the infected device.
Overview
Solarmarker is sophisticated, .NET-based malware known for its ability to steal information and install backdoors without being detected. It targets Windows devices and systems using encrypted communication channels to steal sensitive information from the infected device. Solarmarker has a unique design that allows it to adapt and evolve swiftly, avoiding detection and removal. Its ability to stay under the radar makes Solarmarker a particularly concerning threat.
Possible symptoms
Solarmarker works through a heavily obfuscated PowerShell loader to avoid detection while also impersonating legitimate software installation. However, once it infects a device, you may notice the following symptoms:
You notice unusual network traffic, especially encrypted HTTP POST requests to unknown IP addresses.
Unfamiliar processes appear in the Task Manager.
There are new files in the system, particularly in the “AppData\Local\Temp” directory.
Your device starts having sudden performance issues due to the malware’s continuous activities.
You notice changes in the system settings you did not make.
You get alerts about someone trying to access your online accounts.
Sources of infection
SEO poisoning. Attackers use SEO tactics to make their websites seem legitimate and appear higher in Google’s search results. The goal is to get as many people as possible to visit them and download the malware’s dropper files without realizing it.
Phishing emails. Attackers send out emails containing malicious attachments or links that lead to the download of the initial dropper files.
Compromised websites. Legitimate websites that had a vulnerability and are now hosting the Solarmarker dropper files, which often masquerades as legitimate software.
Protection
You can reduce the chances of a Solarmarker infection and avoid getting your accounts stolen in a few ways:
Use email with caution. Don’t open suspicious emails — and never click on links or attachments unless you know and trust the sender.
Keep your software up to date. Don’t ignore software or browser updates, because they may contain important security patches.
Be cautious online. Download apps and software only from official app stores or directly from developers’ websites.
Use network monitoring. This tip is more advanced, but you can set up network monitoring tools to detect and block suspicious network traffic.
Use Threat Protection. This advanced NordVPN feature blocks malicious websites and potentially harmful ads. Additionally, it scans the files you download for malware and deletes dangerous ones before they can harm your device.
Set up two-factor authentication. This won’t prevent Solarmarker from installing itself on your device, but it will help you protect your accounts from unauthorized access if the malware manages to steal your login credentials.
Removal
Disconnect infected devices from the internet to stop Solarmarker from communicating with its control center.
Use an updated and reputable paid antivirus software to scan your device and remove malicious components.
Manual removal, while technically possible, should be done by an experienced professional. It requires the user to identify and delete all malicious files and registry entries associated with Solarmarker, which is specifically designed to be difficult to detect. If you don’t want to use anti-malware software for this task and don’t know anyone who could help you out with manual removal, then a full system reset is the best way to remove Solarmarker from your device.
After the malware is gone, make sure you change all your passwords — you never know which ones it managed to steal.