SolarMarker Malware Uses Novel Techniques To Persist On Hacked Systems

 In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems.

Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021.

Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set, reported in April, took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines.

Then in August, the malware was observed targeting healthcare and education sectors with the goal of gathering credentials and sensitive information. Subsequent infection chains documented by Morphisec in September 2021 highlighted the use of MSI installers to ensure the delivery of the malware.

The SolarMarker modus operandi commences with redirecting victims to decoy sites that drop the MSI installer payloads, which, while executing seemingly legitimate install programs such as Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also launches a PowerShell script to deploy the malware.

"These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted," Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with The Hacker News.

The PowerShell installer is designed to alter the Windows Registry and drop a .LNK file into Windows' startup directory to establish persistence. This unauthorized change results in the malware getting loaded from an encrypted payload hidden amongst what the researchers called a "smokescreen" of 100 to 300 junk files created specifically for this purpose.

"Normally, one would expect this linked file to be an executable or script file," the researchers detailed. "But for these SolarMarker campaigns the linked file is one of the random junk files, and cannot be executed itself."

What's more, the unique and random file extension used for the linked junk file is utilized to create a custom file type key, which is ultimately employed to execute the malware during system startup by running a PowerShell command from the Registry.

The backdoor, for its part, is ever-evolving, featuring an array of functionalities that allow it to steal information from web browsers, facilitate cryptocurrency theft, and execute arbitrary commands and binaries, the results of which are exfiltrated back to a remote server.

"Another important takeaway […], which was also seen in the ProxyLogon vulnerabilities targeting Exchange servers, is that defenders should always check whether attackers have left something behind in the network that they can return to later," Gallagher said. "For ProxyLogon this was web shells, for SolarMarker this is a stealthy and persistent backdoor that according to Sophos telematics is still active months after the campaign ended."

More articles

1. New Hack Tools
2. Install Pentest Tools Ubuntu
3. Hacking Tools For Mac
4. Hacking Tools Online
5. Hacker Tools Apk Download
6. Pentest Tools
7. Hacking Tools For Mac
8. New Hacker Tools
9. Pentest Tools Website Vulnerability
10. Pentest Tools For Ubuntu
11. How To Install Pentest Tools In Ubuntu
12. Hack Tool Apk
13. Hacking Apps
14. Pentest Box Tools Download
15. Hack Apps
16. Hack Tools For Mac
17. Hack And Tools
18. Hacker Tools Mac
19. Tools For Hacker
20. Pentest Tools List
21. Hacker Tools Apk Download
22. Nsa Hacker Tools
23. Hacking Tools Software
24. Hacking Tools For Mac
25. Pentest Tools Github
26. Hacking Tools Name
27. Hack Tools
28. Nsa Hack Tools
29. Hacking App
30. Wifi Hacker Tools For Windows
31. Hacker Security Tools
32. Pentest Tools Android
33. Pentest Tools Website
34. Pentest Tools Website
35. Hack Tools For Pc
36. Hacking Tools For Windows
37. Hack Apps
38. Hacking Tools 2019
39. Pentest Tools For Mac
40. Hacker Tools Online
41. Best Pentesting Tools 2018
42. Free Pentest Tools For Windows
43. Hacking Tools For Pc
44. Hak5 Tools
45. What Is Hacking Tools
46. Android Hack Tools Github
47. Kik Hack Tools
48. Pentest Tools Url Fuzzer
49. Hack Tools For Pc
50. Hack Tools For Pc
51. Hacker Tools Free Download
52. How To Hack
53. Hacker Tools Github
54. Hacker Tools Apk Download
55. New Hacker Tools
56. Hacking Tools For Kali Linux
57. New Hack Tools
58. Hacker Tools Linux
59. Pentest Tools For Mac
60. Hacker Tools Github
61. Hacker Tools List
62. Pentest Tools Bluekeep
63. Hacker Tools Hardware
64. Hacking Tools For Games
65. Hacking Tools Online
66. Hack Tools
67. Hacking Tools Kit
68. New Hacker Tools
69. Black Hat Hacker Tools
70. Hacker Tools For Ios
71. Hacking Tools Usb
72. Hack Tools 2019
73. Pentest Tools Linux
74. Blackhat Hacker Tools
75. Easy Hack Tools
76. Hacker Tool Kit
77. What Is Hacking Tools
78. Hacker Security Tools
79. Hacker Tools
80. Hacker Tools Hardware
81. Hacking Tools Windows
82. Black Hat Hacker Tools
83. Hacking Tools For Windows 7
84. Growth Hacker Tools
85. Pentest Tools Apk
86. Hacking Tools Name
87. Pentest Reporting Tools
88. Pentest Tools Kali Linux
89. Hacking Tools Software
90. Hacking Tools Online
91. Hacker Tools Hardware
92. Hacking Tools Windows
93. Hacker Tools
94. Pentest Tools For Ubuntu
95. Pentest Tools Online
96. How To Hack
97. Nsa Hacker Tools
98. Hacker Tools Free Download
99. Github Hacking Tools
100. Pentest Box Tools Download
101. How To Make Hacking Tools
102. Hacking Tools For Mac
103. Hacker Tools Software
104. Hacker Tools For Pc
105. Github Hacking Tools
106. Pentest Tools Free
107. Hack Tool Apk No Root
108. Termux Hacking Tools 2019
109. Hack Tools For Games
110. Hacker Tools Apk
111. Easy Hack Tools
112. Hacking Tools For Kali Linux
113. Pentest Tools Open Source
114. Hack Tools For Pc
115. Tools For Hacker
116. Pentest Tools For Mac
117. Hack Tools For Mac
118. Pentest Tools Review
119. Hack Tool Apk No Root
120. Best Pentesting Tools 2018
121. Hack Tools Download
122. Hack Tools For Pc
123. Hacking Tools For Windows Free Download
124. Pentest Recon Tools
125. Hackers Toolbox
126. Pentest Tools For Mac
127. Pentest Tools Website
128. Hacking Tools Name
129. Hacker Hardware Tools
130. Pentest Tools Port Scanner
131. Physical Pentest Tools