SolarMarker is a Remote Access Trojan (RAT) written in the Microsoft .NET framework. The same has been tracked under various, different names including Jupyter, Yellow Cockatoo and Polazert. The main purpose and core functionality of SolarMarker is to act as a backdoor through which the specific threat actor can escalate the attack by delivering an end-stage malware payload to the infected system. SolarMarker has been used in several threatening operations, as its versatility allows for different hacker groups to deploy payloads in accordance with their specific needs.
SolarMarker can fetch and execute a next-stage banking Trojan capable of hijacking online banking credentials from the compromised company or an info stealer capable of harvesting users' account and email credentials. Such private information can then be used by the cybercriminals to move laterally within the network, spread the malware infection to additional systems or gain deeper access to private corporate data. Deploying ransomware on a corporate level also has seen a prominent rise among hacker circles as they can lock down the entire operations of the breached entity effectively and demand the payment of a massive sum of money.
Thousands of Google-Hosted Websites Spread the SolarMarker RAT
The latest attack campaign involving the SolarMarker RAT shows a significant level of sophistication. The threat actor behind the operations has set up 100, 000 dedicated Google-hosted threatening domains. The pages spreading SolarMarker use popular business terms and keywords, such as various forms and templates, including receipts, invoices, resumes, questionnaires and others. By using such common terms in tandem as part of an SEO (Search Engine Optimization) strategy, the cybercriminals can rely on Google's own Web crawler bots to rank the corrupted websites a high ranking and place them in the top results displayed to users.
The unsuspecting users will think that they are opening the document form or template they need. However, instead, they will be executing a binary that initiates the installation chain of the SolarMarker RAT. To further mask its presence, the backdoor threat has various decoy applications such as - docx2rtf.exe, Expert_PDF.exe and photodesigner7_x86-64.exe. One of the latest observed to be used by the threat is called Slim PDF reader.