As threat actors continuously change pattern, the operators of the SolarMarker information stealer and backdoor have been discovered to be leveraging stealthy tricks to establish long-term persistence on compromised systems.
This was spotted by Sophos a cybersecurity firm, wherein they observed that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021.
With the capability to harvest information and backdoor capabilities, the .NET-based malware has been linked to three different attack waves in 2021. The first set, reported in April, took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim’s machines.
The malware was also observed in August targeting healthcare and education sectors with aim of gathering credentials and sensitive information. Other infection chains documented by Morphisec in September 2021 highlighted the use of MSI installers to ensure the delivery of the malware.
The SolarMarker mode of operation begins by redirecting victims to decoy sites that drop the MSI installer payloads, which, while executing seemingly legitimate install programs such as Adobe Acrobat Pro DC, Wondershare PDFelement or Nitro Pro, also launches a PowerShell script to deploy the malware.
“These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted,” Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with a popular cybersecurity blog.
The PowerShell installer is created to alter the windows registry and drop a .LNK file into Windows; startup directory with the aim of establishing persistence. The unauthorized change culminates into the malware getting loaded from an encrypted payload hidden within what the researchers called a “smokescreen” of over 300 junk files created specifically for this purpose.
It would be expected that the linked file would be an executable or script file but in this case, the linked file is one of the random junk files and cannot be executed itself.
What’s more, the unique and random file extension used for the linked junk file is utilized to create a custom file type key, which is ultimately employed to execute the malware during system startup by running a PowerShell command from the Registry.