Detection evasion capabilities added in novel SolarMarker malware variant

Researchers from Palo Alto Networks' Unit 42 threat intelligence unit have discovered that the SolarMarker malware, also known as Jupyter, has been updated yet again to include improved capabilities to evade detection, The Hacker News reports. "The recent version demonstrated an evolution from Windows Portable Executables (EXE files) to working with Windows installer package files (MSI files). This campaign is still in development and going back to using executables files (EXE) as it did in its earlier versions," said researchers. SolarMarker operators seem to have continued techniques from a campaign detected in February with the use of infection chains including 250MB executables for PDF readers and utilities that do not only facilitate the deployment of the initial stage dropper but also enable the installation of a legitimate program triggering SolarMarker malware deployment through a PowerShell installer. "The malware invests significant effort into defense evasion, which consists of techniques like signed files, huge files, impersonation of legitimate software installations and obfuscated PowerShell scripts," said researchers.