SolarMarker Malware Uses Novel Techniques To Persist On Hacked Systems

 In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems.

Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021.

Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set, reported in April, took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines.

Then in August, the malware was observed targeting healthcare and education sectors with the goal of gathering credentials and sensitive information. Subsequent infection chains documented by Morphisec in September 2021 highlighted the use of MSI installers to ensure the delivery of the malware.

The SolarMarker modus operandi commences with redirecting victims to decoy sites that drop the MSI installer payloads, which, while executing seemingly legitimate install programs such as Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also launches a PowerShell script to deploy the malware.

"These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted," Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with The Hacker News.

The PowerShell installer is designed to alter the Windows Registry and drop a .LNK file into Windows' startup directory to establish persistence. This unauthorized change results in the malware getting loaded from an encrypted payload hidden amongst what the researchers called a "smokescreen" of 100 to 300 junk files created specifically for this purpose.

"Normally, one would expect this linked file to be an executable or script file," the researchers detailed. "But for these SolarMarker campaigns the linked file is one of the random junk files, and cannot be executed itself."

What's more, the unique and random file extension used for the linked junk file is utilized to create a custom file type key, which is ultimately employed to execute the malware during system startup by running a PowerShell command from the Registry.

The backdoor, for its part, is ever-evolving, featuring an array of functionalities that allow it to steal information from web browsers, facilitate cryptocurrency theft, and execute arbitrary commands and binaries, the results of which are exfiltrated back to a remote server.

"Another important takeaway […], which was also seen in the ProxyLogon vulnerabilities targeting Exchange servers, is that defenders should always check whether attackers have left something behind in the network that they can return to later," Gallagher said. "For ProxyLogon this was web shells, for SolarMarker this is a stealthy and persistent backdoor that according to Sophos telematics is still active months after the campaign ended."

Related word

1. Hack Tools 2019
2. Tools Used For Hacking
3. Tools 4 Hack
4. Growth Hacker Tools
5. Hacking Tools 2020
6. Hacker Tools Github
7. Pentest Tools Framework
8. Easy Hack Tools
9. Hacking Tools
10. Underground Hacker Sites
11. Pentest Tools Open Source
12. Hacking Tools Github
13. Hack And Tools
14. Hack Tools Pc
15. Hacking Tools For Pc
16. Hacker Tools
17. Hacking Tools For Mac
18. Hack Tools For Pc
19. Github Hacking Tools
20. Pentest Tools Nmap
21. Hack Tools
22. Pentest Tools Port Scanner
23. Hack Tool Apk No Root
24. Bluetooth Hacking Tools Kali
25. Pentest Tools Android
26. How To Hack
27. Hack Tool Apk No Root
28. Hacking Tools Kit
29. Hack Tools Github
30. Pentest Tools Windows
31. Pentest Tools Bluekeep
32. Pentest Tools Tcp Port Scanner
33. Hacking Tools Name
34. Hack Tools Pc
35. Pentest Tools Framework
36. Hacking Tools Download
37. How To Make Hacking Tools
38. Pentest Tools Website
39. How To Make Hacking Tools
40. Hacker Tools For Ios
41. Hacking Tools And Software
42. New Hack Tools
43. Wifi Hacker Tools For Windows
44. Pentest Tools Subdomain
45. Pentest Tools Bluekeep
46. Hacking Tools
47. Hacking Tools Usb
48. Hacker Tools Online
49. Hacking Tools Windows
50. How To Hack
51. Hacking Tools For Games
52. Pentest Recon Tools
53. Pentest Tools For Mac
54. Hacker Tools Mac
55. Hacking Tools Name
56. Nsa Hack Tools Download
57. Hack Tools For Windows
58. Hacking Tools Software
59. Top Pentest Tools
60. Beginner Hacker Tools
61. Hacking Tools
62. Nsa Hack Tools Download
63. Pentest Tools Website
64. Hacking Tools And Software
65. Pentest Tools For Android
66. Hacker Hardware Tools
67. Hack Tools Pc
68. Hack Website Online Tool
69. Hacking Tools Usb
70. Hacker Tools Software
71. Hacking Tools For Mac
72. Nsa Hack Tools
73. Hack Tools
74. Hacker Tools Github
75. Growth Hacker Tools
76. Github Hacking Tools
77. Pentest Tools Website
78. Pentest Tools For Ubuntu
79. Hacking Tools Github
80. Hack Tools Pc
81. Hacking Tools
82. Hacker Search Tools
83. Pentest Tools Port Scanner
84. Hacking Tools For Games
85. Hacker Tool Kit
86. Hacking Tools Windows
87. Pentest Recon Tools
88. Pentest Tools Url Fuzzer
89. Hacker Hardware Tools
90. Hacking Tools 2019
91. Pentest Tools Review
92. Bluetooth Hacking Tools Kali
93. Hacker Tools Hardware
94. Pentest Tools For Ubuntu
95. Hacking Tools Hardware
96. Hacking Tools Software
97. Hacking Tools Usb
98. Hacking Tools 2019
99. Pentest Tools For Android
100. Hacking Tools Windows
101. Hacking Tools 2019
102. Pentest Tools Find Subdomains
103. Hack Website Online Tool
104. Tools 4 Hack
105. Game Hacking
106. Pentest Tools Subdomain
107. Nsa Hack Tools Download
108. Hack Tools Online
109. Hack Apps
110. Hackrf Tools
111. Hacker Tools For Windows
112. Hacker Tools 2020
113. Hack Tools 2019
114. Hacker Tools Software
115. Hacking Tools For Windows
116. How To Hack
117. Wifi Hacker Tools For Windows
118. Hacker Search Tools
119. Pentest Tools Download
120. Hack Apps
121. Pentest Tools For Android
122. Best Hacking Tools 2020
123. Hacking Tools Software
124. Pentest Automation Tools
125. Hacking Tools Name
126. Hacking Tools Windows 10
127. Hacking Tools Windows 10
128. Hacker Security Tools
129. Pentest Tools Bluekeep
130. Usb Pentest Tools
131. Hacker Tool Kit
132. Hacking Tools For Windows Free Download
133. Pentest Automation Tools
134. Pentest Tools Apk
135. Hacker Tools 2020
136. Hacking Tools For Beginners
137. Hack Tools Online
138. Hacking App
139. Tools 4 Hack