SolarMarker Malware Uses Novel Techniques To Persist On Hacked Systems

 In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems.

Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021.

Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set, reported in April, took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines.

Then in August, the malware was observed targeting healthcare and education sectors with the goal of gathering credentials and sensitive information. Subsequent infection chains documented by Morphisec in September 2021 highlighted the use of MSI installers to ensure the delivery of the malware.

The SolarMarker modus operandi commences with redirecting victims to decoy sites that drop the MSI installer payloads, which, while executing seemingly legitimate install programs such as Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also launches a PowerShell script to deploy the malware.

"These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted," Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with The Hacker News.

The PowerShell installer is designed to alter the Windows Registry and drop a .LNK file into Windows' startup directory to establish persistence. This unauthorized change results in the malware getting loaded from an encrypted payload hidden amongst what the researchers called a "smokescreen" of 100 to 300 junk files created specifically for this purpose.

"Normally, one would expect this linked file to be an executable or script file," the researchers detailed. "But for these SolarMarker campaigns the linked file is one of the random junk files, and cannot be executed itself."

What's more, the unique and random file extension used for the linked junk file is utilized to create a custom file type key, which is ultimately employed to execute the malware during system startup by running a PowerShell command from the Registry.

The backdoor, for its part, is ever-evolving, featuring an array of functionalities that allow it to steal information from web browsers, facilitate cryptocurrency theft, and execute arbitrary commands and binaries, the results of which are exfiltrated back to a remote server.

"Another important takeaway […], which was also seen in the ProxyLogon vulnerabilities targeting Exchange servers, is that defenders should always check whether attackers have left something behind in the network that they can return to later," Gallagher said. "For ProxyLogon this was web shells, for SolarMarker this is a stealthy and persistent backdoor that according to Sophos telematics is still active months after the campaign ended."

Read more

1. Hack Tools For Windows
2. World No 1 Hacker Software
3. Hack Tools
4. Pentest Tools Download
5. Pentest Tools Port Scanner
6. Hackrf Tools
7. Blackhat Hacker Tools
8. Hacker Tools 2019
9. Pentest Tools Kali Linux
10. Hacking Apps
11. Hacking Tools Software
12. Hack And Tools
13. Pentest Tools Kali Linux
14. Hacker Tools Windows
15. Pentest Tools Framework
16. Pentest Tools Kali Linux
17. Pentest Tools Subdomain
18. How To Make Hacking Tools
19. Hacker Tools For Windows
20. Hacking Tools Online
21. Pentest Tools Url Fuzzer
22. Hack Tool Apk
23. Hacking Tools For Kali Linux
24. Hack Apps
25. Best Pentesting Tools 2018
26. Hacking Apps
27. Hacker Tools
28. Hack Tools For Windows
29. Nsa Hack Tools
30. Hack Tools For Windows
31. Hack Tool Apk
32. Hack Tool Apk
33. Physical Pentest Tools
34. Best Hacking Tools 2020
35. Hack Website Online Tool
36. New Hacker Tools
37. Hack Tools For Pc
38. Hack Tools Download
39. Hacking Tools For Mac
40. Blackhat Hacker Tools
41. Pentest Tools Free
42. Hacking Tools Mac
43. Easy Hack Tools
44. Hack Tools For Mac
45. Hacker Techniques Tools And Incident Handling
46. Top Pentest Tools
47. Hacker Tools For Pc
48. Hacker Tools Mac
49. Hack And Tools
50. Pentest Tools Free
51. Hack Tools 2019
52. Pentest Tools Review
53. Computer Hacker
54. Hack Tools Pc
55. Tools Used For Hacking
56. Hacker Tools Online
57. Hack Tools For Ubuntu
58. Hacker Tools List
59. Nsa Hacker Tools
60. Pentest Tools
61. Pentest Tools Linux
62. Pentest Tools For Ubuntu
63. Pentest Tools For Mac
64. Pentest Tools Windows
65. Pentest Tools Online
66. Hack Apps
67. New Hacker Tools
68. Hacking Tools
69. Hacker Tools 2019
70. Hacking Tools Github
71. Hacking Tools Usb
72. Android Hack Tools Github
73. Hack Tool Apk
74. Pentest Tools Website Vulnerability
75. Hacking Tools Hardware
76. World No 1 Hacker Software
77. Pentest Tools Linux
78. Hack Tools
79. What Are Hacking Tools
80. Top Pentest Tools
81. Hacker Security Tools
82. Pentest Tools Framework
83. Computer Hacker
84. Hack Rom Tools
85. Nsa Hack Tools
86. Beginner Hacker Tools
87. Pentest Tools Find Subdomains
88. Hacker Tools Online
89. Pentest Tools
90. Pentest Reporting Tools
91. Pentest Tools For Windows
92. Hackers Toolbox
93. Hacker Tools Mac
94. Pentest Tools Bluekeep
95. Computer Hacker
96. Growth Hacker Tools
97. Nsa Hack Tools Download
98. Hacking Tools Usb
99. Hacker Tools Linux
100. Pentest Box Tools Download
101. Hacking Tools And Software
102. Hacker Tools For Ios
103. Usb Pentest Tools
104. Pentest Recon Tools
105. Pentest Tools For Ubuntu
106. Pentest Tools For Mac
107. Hacking Tools Download
108. Hacker Techniques Tools And Incident Handling
109. Black Hat Hacker Tools
110. Hacker Tools 2020
111. Pentest Tools List
112. Hacker Tools For Pc
113. Pentest Tools Subdomain
114. Hacker Tools Mac
115. Hack Tools Github
116. Pentest Tools Nmap
117. Hacking App
118. World No 1 Hacker Software
119. Hackers Toolbox
120. Pentest Tools Apk
121. Usb Pentest Tools
122. Best Hacking Tools 2020
123. World No 1 Hacker Software
124. Hacker Tools Windows
125. Pentest Tools Review
126. Hackers Toolbox
127. Hacking Tools 2019
128. How To Install Pentest Tools In Ubuntu
129. Hack Tools For Ubuntu
130. Pentest Tools Open Source
131. Hacking Tools For Beginners
132. Pentest Tools Bluekeep
133. Hacker Tools Apk Download
134. Usb Pentest Tools
135. Pentest Tools Website Vulnerability
136. Hacker Tools Software
137. Blackhat Hacker Tools
138. Pentest Automation Tools
139. Pentest Tools Online
140. Hacker Tools Windows
141. Hacking Tools 2020
142. Hack Tools Mac
143. Nsa Hack Tools Download
144. Ethical Hacker Tools
145. Hak5 Tools
146. Hacker
147. Hack Tools For Games
148. Hackrf Tools
149. Pentest Tools Find Subdomains
150. Hacking Tools 2020
151. Hacker Tools 2019
152. Wifi Hacker Tools For Windows
153. Best Hacking Tools 2020
154. Hacker Tools Windows
155. Hack Tools Mac
156. Nsa Hack Tools
157. Hacker Tools List