SolarMarker Malware Uses Novel Techniques To Persist On Hacked Systems

 In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems.

Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021.

Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set, reported in April, took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines.

Then in August, the malware was observed targeting healthcare and education sectors with the goal of gathering credentials and sensitive information. Subsequent infection chains documented by Morphisec in September 2021 highlighted the use of MSI installers to ensure the delivery of the malware.

The SolarMarker modus operandi commences with redirecting victims to decoy sites that drop the MSI installer payloads, which, while executing seemingly legitimate install programs such as Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also launches a PowerShell script to deploy the malware.

"These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted," Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with The Hacker News.

The PowerShell installer is designed to alter the Windows Registry and drop a .LNK file into Windows' startup directory to establish persistence. This unauthorized change results in the malware getting loaded from an encrypted payload hidden amongst what the researchers called a "smokescreen" of 100 to 300 junk files created specifically for this purpose.

"Normally, one would expect this linked file to be an executable or script file," the researchers detailed. "But for these SolarMarker campaigns the linked file is one of the random junk files, and cannot be executed itself."

What's more, the unique and random file extension used for the linked junk file is utilized to create a custom file type key, which is ultimately employed to execute the malware during system startup by running a PowerShell command from the Registry.

The backdoor, for its part, is ever-evolving, featuring an array of functionalities that allow it to steal information from web browsers, facilitate cryptocurrency theft, and execute arbitrary commands and binaries, the results of which are exfiltrated back to a remote server.

"Another important takeaway […], which was also seen in the ProxyLogon vulnerabilities targeting Exchange servers, is that defenders should always check whether attackers have left something behind in the network that they can return to later," Gallagher said. "For ProxyLogon this was web shells, for SolarMarker this is a stealthy and persistent backdoor that according to Sophos telematics is still active months after the campaign ended."

Continue reading

1. Hacking Tools For Pc
2. Free Pentest Tools For Windows
3. Growth Hacker Tools
4. Pentest Tools Subdomain
5. Android Hack Tools Github
6. Pentest Box Tools Download
7. What Is Hacking Tools
8. Hackers Toolbox
9. Top Pentest Tools
10. Hackers Toolbox
11. Pentest Tools Review
12. Black Hat Hacker Tools
13. Pentest Tools Tcp Port Scanner
14. Hack Tools For Windows
15. What Is Hacking Tools
16. Hack Apps
17. Hackers Toolbox
18. Beginner Hacker Tools
19. Hacking Tools For Windows Free Download
20. Computer Hacker
21. Pentest Box Tools Download
22. What Are Hacking Tools
23. Pentest Tools Download
24. Hacking Tools For Windows 7
25. Pentest Tools Bluekeep
26. Hacking Tools Github
27. Underground Hacker Sites
28. Pentest Tools Linux
29. Easy Hack Tools
30. Growth Hacker Tools
31. Physical Pentest Tools
32. Hacking Tools Mac
33. What Is Hacking Tools
34. Pentest Tools Subdomain
35. Best Hacking Tools 2019
36. Hacking Tools Github
37. Pentest Tools Review
38. Tools For Hacker
39. Hack Apps
40. Hacker Tools Linux
41. Hacking Tools For Games
42. Hacking Tools Free Download
43. Best Hacking Tools 2019
44. Hack And Tools
45. Nsa Hack Tools Download
46. Pentest Tools For Android
47. Hacking Tools For Kali Linux
48. Hacker Tools List
49. Hack Tool Apk
50. Hacking Tools For Windows Free Download
51. Hacker Techniques Tools And Incident Handling
52. Pentest Tools Apk
53. How To Make Hacking Tools
54. Hacking Tools For Games
55. New Hack Tools
56. Hacking Tools For Games
57. Pentest Tools Free
58. Pentest Tools For Mac
59. Hacker Tool Kit
60. Pentest Tools Website
61. What Is Hacking Tools
62. Hack Tool Apk No Root
63. Best Pentesting Tools 2018
64. Hacking Tools And Software
65. Pentest Box Tools Download
66. Hack Tools 2019
67. Growth Hacker Tools
68. What Is Hacking Tools
69. Hacker Tools Free Download
70. Hack Tools Online
71. Hacking Tools Hardware
72. Nsa Hacker Tools
73. Pentest Automation Tools
74. Hacking Tools Pc
75. Pentest Tools Port Scanner
76. Kik Hack Tools
77. Pentest Tools Download
78. Hack Tool Apk
79. Hacker Tools 2019
80. Pentest Tools Subdomain
81. New Hacker Tools
82. Pentest Tools Apk
83. Hacking Apps
84. Pentest Reporting Tools
85. Hacking Tools For Windows
86. Hack Tools Mac
87. Hacking Tools For Beginners
88. Pentest Reporting Tools
89. Hack Apps
90. Pentest Tools Website Vulnerability
91. Hacker Tools 2019
92. Hacker Tool Kit
93. Hacking Tools
94. Hack Tools Github
95. Hacking Tools 2020
96. Hacking Tools Free Download
97. Hacking Tools Kit
98. Hacking Tools
99. Hacker Tools For Mac
100. Pentest Tools Port Scanner
101. Hacker Tools Github
102. Hacking Tools For Beginners
103. Hacking Tools Github
104. Hacking Tools Mac
105. Pentest Tools For Mac
106. Tools For Hacker
107. Wifi Hacker Tools For Windows
108. Hacker Hardware Tools
109. Pentest Tools Apk
110. Hack Tool Apk No Root
111. Pentest Tools Windows
112. Hacking Tools Software
113. How To Make Hacking Tools
114. Hack Rom Tools
115. Top Pentest Tools
116. Hack Tools Pc
117. Pentest Tools Nmap
118. Hacking Tools And Software
119. Hacker Tools Linux
120. Hacking Tools For Pc
121. Hacker Techniques Tools And Incident Handling
122. Hacker Tools Software
123. Game Hacking
124. Physical Pentest Tools
125. Hacking Tools Windows
126. Usb Pentest Tools
127. Hack Tool Apk
128. Hacking Tools For Windows
129. Tools 4 Hack
130. Best Pentesting Tools 2018
131. Easy Hack Tools
132. Hacking Tools Mac
133. Wifi Hacker Tools For Windows
134. Hacker Tools Mac
135. Hacking Tools For Beginners
136. New Hack Tools
137. Hack Tools For Pc
138. Hacker Tools Free Download
139. Computer Hacker
140. Nsa Hack Tools
141. Github Hacking Tools
142. How To Install Pentest Tools In Ubuntu
143. Black Hat Hacker Tools
144. Tools Used For Hacking
145. Android Hack Tools Github
146. Hack Tools
147. Hacker Tools Software
148. Easy Hack Tools
149. Hack Tools Online
150. How To Hack
151. Hack Tools Download