SolarMarker Malware Uses Novel Techniques To Persist On Hacked Systems

 In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems.

Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021.

Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set, reported in April, took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines.

Then in August, the malware was observed targeting healthcare and education sectors with the goal of gathering credentials and sensitive information. Subsequent infection chains documented by Morphisec in September 2021 highlighted the use of MSI installers to ensure the delivery of the malware.

The SolarMarker modus operandi commences with redirecting victims to decoy sites that drop the MSI installer payloads, which, while executing seemingly legitimate install programs such as Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also launches a PowerShell script to deploy the malware.

"These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted," Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with The Hacker News.

The PowerShell installer is designed to alter the Windows Registry and drop a .LNK file into Windows' startup directory to establish persistence. This unauthorized change results in the malware getting loaded from an encrypted payload hidden amongst what the researchers called a "smokescreen" of 100 to 300 junk files created specifically for this purpose.

"Normally, one would expect this linked file to be an executable or script file," the researchers detailed. "But for these SolarMarker campaigns the linked file is one of the random junk files, and cannot be executed itself."

What's more, the unique and random file extension used for the linked junk file is utilized to create a custom file type key, which is ultimately employed to execute the malware during system startup by running a PowerShell command from the Registry.

The backdoor, for its part, is ever-evolving, featuring an array of functionalities that allow it to steal information from web browsers, facilitate cryptocurrency theft, and execute arbitrary commands and binaries, the results of which are exfiltrated back to a remote server.

"Another important takeaway […], which was also seen in the ProxyLogon vulnerabilities targeting Exchange servers, is that defenders should always check whether attackers have left something behind in the network that they can return to later," Gallagher said. "For ProxyLogon this was web shells, for SolarMarker this is a stealthy and persistent backdoor that according to Sophos telematics is still active months after the campaign ended."

Continue reading

1. Bluetooth Hacking Tools Kali
2. Free Pentest Tools For Windows
3. Best Hacking Tools 2019
4. Pentest Reporting Tools
5. Hacker Tools For Windows
6. Ethical Hacker Tools
7. Hak5 Tools
8. Pentest Tools Tcp Port Scanner
9. Hacking Tools For Games
10. Hacker Tools For Ios
11. Free Pentest Tools For Windows
12. Best Hacking Tools 2019
13. Termux Hacking Tools 2019
14. Hacker
15. Ethical Hacker Tools
16. What Are Hacking Tools
17. Hacker Tools Windows
18. How To Make Hacking Tools
19. Pentest Tools For Mac
20. Hacking Tools Hardware
21. Hacking Tools Github
22. Hacking Tools For Pc
23. Growth Hacker Tools
24. What Is Hacking Tools
25. Hack Tools Mac
26. Hacker Tools Mac
27. Nsa Hacker Tools
28. Termux Hacking Tools 2019
29. Physical Pentest Tools
30. Hacking Tools For Kali Linux
31. Hacker Tools Online
32. Hack Apps
33. Pentest Tools Website
34. Growth Hacker Tools
35. Hacker Tools Free
36. Hacking Tools 2020
37. Hack Tools
38. Top Pentest Tools
39. Android Hack Tools Github
40. Easy Hack Tools
41. Tools 4 Hack
42. Hacker Security Tools
43. Tools Used For Hacking
44. Pentest Tools Free
45. Tools Used For Hacking
46. Pentest Tools Free
47. Pentest Tools Website
48. Hacking Tools 2019
49. Hacker Tools Online
50. Hack Tools
51. Hack Tools Mac
52. Easy Hack Tools
53. Hack Tools Download
54. Black Hat Hacker Tools
55. Hacking Tools 2019
56. Pentest Box Tools Download
57. Best Pentesting Tools 2018
58. Hacking Tools 2020
59. Best Hacking Tools 2020
60. Wifi Hacker Tools For Windows
61. Hacker Tools Software
62. Pentest Tools Find Subdomains
63. Hacking Tools For Pc
64. Hackers Toolbox
65. New Hack Tools
66. What Is Hacking Tools
67. Best Hacking Tools 2019
68. Computer Hacker
69. Pentest Tools Subdomain
70. Install Pentest Tools Ubuntu
71. World No 1 Hacker Software
72. New Hacker Tools
73. Pentest Tools For Windows
74. Best Hacking Tools 2020
75. Hacking Tools For Windows
76. Hacking Tools For Beginners
77. Best Hacking Tools 2019
78. Hack Tools For Ubuntu
79. Hacking Tools Usb
80. What Is Hacking Tools
81. Growth Hacker Tools
82. Tools For Hacker
83. Hack Rom Tools
84. Wifi Hacker Tools For Windows
85. Pentest Reporting Tools
86. Hacker Hardware Tools
87. Hacking Tools
88. Hacker Tools For Pc
89. Hacking Tools For Beginners
90. Hacker Tools 2019
91. Hack Tools Pc
92. Pentest Recon Tools
93. Best Hacking Tools 2019
94. Github Hacking Tools
95. Hacking Tools For Beginners
96. Pentest Tools
97. Hacker Tools For Ios
98. Pentest Tools Download
99. How To Hack
100. Pentest Tools Download
101. Hacker Tools 2020
102. Hacking Tools For Kali Linux
103. Hack Tools For Pc
104. Underground Hacker Sites
105. Hacking Tools Kit
106. Hacker Tools Free
107. Install Pentest Tools Ubuntu
108. Pentest Tools Find Subdomains
109. Tools 4 Hack
110. Underground Hacker Sites
111. Hack Tools Online
112. Pentest Tools Review
113. Hacker Hardware Tools
114. New Hack Tools
115. Tools 4 Hack
116. Pentest Automation Tools
117. Pentest Reporting Tools
118. Pentest Tools Port Scanner
119. Pentest Tools Find Subdomains
120. Ethical Hacker Tools
121. Pentest Tools Website Vulnerability
122. Hacker Tools Hardware
123. Hack Tool Apk
124. Hacking Tools For Windows 7
125. Best Hacking Tools 2020
126. Hack App
127. Bluetooth Hacking Tools Kali
128. Hacker Tools Mac
129. Pentest Automation Tools
130. Hacking Tools For Kali Linux
131. Pentest Tools Kali Linux
132. How To Hack
133. Hacking Tools Software
134. Hacker
135. Hacker Tools Online
136. Hacking Apps
137. Hacking Tools For Kali Linux
138. Hack Tools Pc
139. Wifi Hacker Tools For Windows
140. Hacking Tools
141. Pentest Tools For Ubuntu
142. Hacking Tools 2019
143. Hacking Tools For Windows Free Download
144. Kik Hack Tools
145. Pentest Tools For Ubuntu
146. Pentest Tools Alternative
147. Hacker Hardware Tools
148. Tools 4 Hack
149. Easy Hack Tools
150. Hacker Hardware Tools
151. Pentest Tools Online
152. Hacking Apps
153. Hacking Tools Usb
154. Hacker Security Tools
155. Hack Tool Apk
156. Game Hacking
157. Hack Apps
158. Pentest Tools For Windows
159. Hacking Tools For Windows