SolarMarker Malware Uses Novel Techniques To Persist On Hacked Systems

 In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems.

Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021.

Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set, reported in April, took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines.

Then in August, the malware was observed targeting healthcare and education sectors with the goal of gathering credentials and sensitive information. Subsequent infection chains documented by Morphisec in September 2021 highlighted the use of MSI installers to ensure the delivery of the malware.

The SolarMarker modus operandi commences with redirecting victims to decoy sites that drop the MSI installer payloads, which, while executing seemingly legitimate install programs such as Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also launches a PowerShell script to deploy the malware.

"These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted," Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with The Hacker News.

The PowerShell installer is designed to alter the Windows Registry and drop a .LNK file into Windows' startup directory to establish persistence. This unauthorized change results in the malware getting loaded from an encrypted payload hidden amongst what the researchers called a "smokescreen" of 100 to 300 junk files created specifically for this purpose.

"Normally, one would expect this linked file to be an executable or script file," the researchers detailed. "But for these SolarMarker campaigns the linked file is one of the random junk files, and cannot be executed itself."

What's more, the unique and random file extension used for the linked junk file is utilized to create a custom file type key, which is ultimately employed to execute the malware during system startup by running a PowerShell command from the Registry.

The backdoor, for its part, is ever-evolving, featuring an array of functionalities that allow it to steal information from web browsers, facilitate cryptocurrency theft, and execute arbitrary commands and binaries, the results of which are exfiltrated back to a remote server.

"Another important takeaway […], which was also seen in the ProxyLogon vulnerabilities targeting Exchange servers, is that defenders should always check whether attackers have left something behind in the network that they can return to later," Gallagher said. "For ProxyLogon this was web shells, for SolarMarker this is a stealthy and persistent backdoor that according to Sophos telematics is still active months after the campaign ended."

More articles

1. Hacker Tools For Ios
2. Best Hacking Tools 2020
3. Hack Tools For Ubuntu
4. Hacker Tools Hardware
5. What Is Hacking Tools
6. Pentest Automation Tools
7. Github Hacking Tools
8. Hacking Tools Windows 10
9. Hack Tools Download
10. Hacking Tools Online
11. Hacking Tools Hardware
12. Bluetooth Hacking Tools Kali
13. Pentest Tools Open Source
14. Pentest Tools Android
15. Hacking Tools 2020
16. Best Hacking Tools 2019
17. Pentest Tools Windows
18. Underground Hacker Sites
19. Hack Tool Apk No Root
20. Nsa Hacker Tools
21. Hack Tools Pc
22. Hacking Tools For Windows Free Download
23. Tools 4 Hack
24. Install Pentest Tools Ubuntu
25. Hacker Hardware Tools
26. Pentest Tools Website
27. Best Hacking Tools 2019
28. Ethical Hacker Tools
29. Usb Pentest Tools
30. Beginner Hacker Tools
31. Pentest Tools Port Scanner
32. Nsa Hack Tools Download
33. Hacker Tool Kit
34. Hack Tools
35. Hack Tools Mac
36. Hacking Tools 2019
37. Tools For Hacker
38. Hacking Tools For Beginners
39. Pentest Tools For Android
40. Best Pentesting Tools 2018
41. Hacker Tools For Pc
42. Termux Hacking Tools 2019
43. Hack Tools
44. Hacking Tools Windows
45. Hacker Tools For Pc
46. Hack Tools Mac
47. Pentest Tools Open Source
48. Pentest Tools Website
49. Best Hacking Tools 2020
50. Bluetooth Hacking Tools Kali
51. Pentest Tools Github
52. Ethical Hacker Tools
53. Hak5 Tools
54. Hacker Search Tools
55. Pentest Reporting Tools
56. Hacking Tools Software
57. Hacking Tools Mac
58. Top Pentest Tools
59. Pentest Tools Android
60. Hacking Tools Windows 10
61. Hacker
62. Hackrf Tools
63. Hacking Tools Free Download
64. Pentest Tools Framework
65. Pentest Tools For Mac
66. Hacker Tools
67. Nsa Hacker Tools
68. Tools For Hacker
69. Hacking Tools Hardware
70. Hacking Tools 2019
71. Termux Hacking Tools 2019
72. Hacker Hardware Tools
73. Hacking Tools For Windows 7
74. Pentest Recon Tools
75. Physical Pentest Tools
76. Pentest Tools Tcp Port Scanner
77. Best Hacking Tools 2020
78. Pentest Tools Subdomain
79. Hack Tools Github
80. Pentest Tools Online
81. Hack Tools 2019
82. Hacking Tools Online
83. New Hack Tools
84. Hack Tools Pc
85. Pentest Tools Github
86. Hacking Tools For Mac
87. Hacker Tools Online
88. Growth Hacker Tools
89. Hacking Tools Online
90. Hacker Tools 2019
91. Pentest Tools Website
92. Hack Tools Pc
93. Hacker Tools 2019
94. Hack Tools For Mac
95. Easy Hack Tools
96. Usb Pentest Tools
97. Hack Tools
98. What Is Hacking Tools
99. Hack Tools Github
100. Hack Tools Online
101. Nsa Hack Tools Download
102. Pentest Tools List
103. Hacking Tools For Games
104. How To Install Pentest Tools In Ubuntu
105. How To Make Hacking Tools
106. Hacker Search Tools
107. Hacker Tools Software
108. Best Hacking Tools 2019
109. Pentest Tools List
110. Ethical Hacker Tools
111. Pentest Tools Android
112. Hacking Tools For Windows 7
113. Tools 4 Hack
114. Tools Used For Hacking
115. Bluetooth Hacking Tools Kali
116. Pentest Tools Url Fuzzer
117. Hacking Tools
118. Easy Hack Tools
119. Pentest Tools Subdomain
120. Pentest Tools For Ubuntu
121. Pentest Tools Website
122. Pentest Tools Open Source
123. Tools Used For Hacking
124. Growth Hacker Tools
125. Hacker Tools Software
126. Hacking App
127. Tools For Hacker
128. Hacker Hardware Tools
129. Hacking Tools For Windows 7
130. Hacker Search Tools
131. Growth Hacker Tools
132. Hack Tools For Ubuntu
133. Hacking Tools 2020
134. Hack Tools Mac
135. Hak5 Tools
136. Free Pentest Tools For Windows
137. Hacker Tools Hardware
138. Pentest Tools Website
139. Hacking Tools Windows 10
140. Hacking Tools For Windows Free Download
141. Pentest Tools Website
142. Pentest Tools Github
143. Hacker Search Tools
144. Hacker Search Tools
145. Hacking Tools Free Download
146. Hacking Tools For Kali Linux
147. Github Hacking Tools
148. Hacker Tools Free
149. Pentest Tools Apk
150. Pentest Tools Kali Linux
151. Ethical Hacker Tools
152. Pentest Tools For Windows
153. Hacker Tools 2020
154. Hacking Tools For Pc
155. Hacking Tools For Windows Free Download
156. Best Pentesting Tools 2018
157. How To Hack
158. Hack Tools For Windows
159. Bluetooth Hacking Tools Kali
160. Pentest Tools For Windows
161. Hacks And Tools
162. Hacker Tools For Mac