SolarMarker Malware Uses Novel Techniques To Persist On Hacked Systems

 In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems.

Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021.

Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set, reported in April, took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines.

Then in August, the malware was observed targeting healthcare and education sectors with the goal of gathering credentials and sensitive information. Subsequent infection chains documented by Morphisec in September 2021 highlighted the use of MSI installers to ensure the delivery of the malware.

The SolarMarker modus operandi commences with redirecting victims to decoy sites that drop the MSI installer payloads, which, while executing seemingly legitimate install programs such as Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also launches a PowerShell script to deploy the malware.

"These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted," Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with The Hacker News.

The PowerShell installer is designed to alter the Windows Registry and drop a .LNK file into Windows' startup directory to establish persistence. This unauthorized change results in the malware getting loaded from an encrypted payload hidden amongst what the researchers called a "smokescreen" of 100 to 300 junk files created specifically for this purpose.

"Normally, one would expect this linked file to be an executable or script file," the researchers detailed. "But for these SolarMarker campaigns the linked file is one of the random junk files, and cannot be executed itself."

What's more, the unique and random file extension used for the linked junk file is utilized to create a custom file type key, which is ultimately employed to execute the malware during system startup by running a PowerShell command from the Registry.

The backdoor, for its part, is ever-evolving, featuring an array of functionalities that allow it to steal information from web browsers, facilitate cryptocurrency theft, and execute arbitrary commands and binaries, the results of which are exfiltrated back to a remote server.

"Another important takeaway […], which was also seen in the ProxyLogon vulnerabilities targeting Exchange servers, is that defenders should always check whether attackers have left something behind in the network that they can return to later," Gallagher said. "For ProxyLogon this was web shells, for SolarMarker this is a stealthy and persistent backdoor that according to Sophos telematics is still active months after the campaign ended."

Related articles

1. Hack Tools Github
2. Hacking Tools 2019
3. Pentest Tools Open Source
4. Hacking Tools Hardware
5. Hacking Tools 2019
6. Computer Hacker
7. Tools 4 Hack
8. Hackrf Tools
9. Hack Tools For Ubuntu
10. Pentest Tools Android
11. Pentest Box Tools Download
12. Hacker Tools Mac
13. Hack Rom Tools
14. New Hack Tools
15. Game Hacking
16. Ethical Hacker Tools
17. Hacker
18. Hack Tools For Ubuntu
19. Hacker Tools Apk
20. Hacker Tools Free Download
21. Hack And Tools
22. Hacking Tools Windows 10
23. Hacking Tools For Pc
24. Hacking Tools For Games
25. Hacker Tools For Pc
26. Pentest Tools Android
27. Termux Hacking Tools 2019
28. Tools Used For Hacking
29. Pentest Tools Bluekeep
30. Hack Tools Pc
31. Pentest Tools Open Source
32. Game Hacking
33. Pentest Tools Port Scanner
34. Hacker Tools 2019
35. Hack App
36. Hacker Tools Apk
37. Hacker Tools Github
38. Physical Pentest Tools
39. Hack And Tools
40. How To Hack
41. New Hacker Tools
42. Top Pentest Tools
43. Pentest Tools For Mac
44. Best Pentesting Tools 2018
45. Hacking Tools Mac
46. Hack Website Online Tool
47. Pentest Recon Tools
48. Pentest Tools Android
49. Best Hacking Tools 2019
50. How To Hack
51. Tools 4 Hack
52. Hacker Tools List
53. Hacking Tools Download
54. Hacking Tools Windows
55. Game Hacking
56. Hacker Security Tools
57. Best Hacking Tools 2019
58. Top Pentest Tools
59. What Is Hacking Tools
60. Hacking Tools Windows
61. How To Hack
62. Hacking Tools And Software
63. Hacking Apps
64. Hacking Tools For Pc
65. Pentest Tools Url Fuzzer
66. Termux Hacking Tools 2019
67. Pentest Tools List
68. Wifi Hacker Tools For Windows
69. Hacker Search Tools
70. Hacker Techniques Tools And Incident Handling
71. Pentest Tools
72. Pentest Tools
73. Pentest Tools Kali Linux
74. Pentest Automation Tools
75. Hacker Tools Windows
76. Tools For Hacker
77. Hacker Tools For Ios
78. Hacker Tools Apk
79. Tools For Hacker
80. Physical Pentest Tools
81. Termux Hacking Tools 2019
82. Tools For Hacker
83. Hack Tools For Windows
84. Hack And Tools
85. Hacking Tools For Beginners
86. Hack Tools Github
87. Pentest Tools Website Vulnerability
88. Pentest Tools Nmap
89. Hackers Toolbox
90. Hacking Tools For Mac
91. Hack Tools Online
92. Pentest Tools Subdomain
93. Hacker Tools Hardware
94. Hack Tools For Games
95. Tools Used For Hacking
96. Wifi Hacker Tools For Windows
97. Pentest Tools Apk
98. Hack Tools For Mac
99. Hack Tools For Mac
100. Pentest Tools Nmap
101. Tools For Hacker
102. Hack Website Online Tool
103. Pentest Tools For Ubuntu
104. Pentest Tools Website Vulnerability
105. Hacking Tools Software
106. Pentest Tools Linux
107. Hacker
108. Hack Tools Github
109. Pentest Tools Find Subdomains
110. Hacker Tools For Ios
111. Underground Hacker Sites
112. How To Make Hacking Tools
113. Tools 4 Hack
114. Pentest Tools Alternative
115. Hacking Tools
116. Hacker Tools Mac
117. Hack And Tools
118. Hacker Tools Online
119. Pentest Tools Windows
120. Game Hacking
121. Hack Tools For Mac
122. Tools For Hacker
123. Pentest Tools Android
124. Hacking Tools
125. Hacking Tools And Software
126. Pentest Tools Apk
127. Pentest Tools Online
128. Hacking Tools For Beginners
129. World No 1 Hacker Software
130. Hacker Tools 2020
131. Hak5 Tools
132. Hacking Tools For Windows 7
133. Hacker Tools List
134. Hacker Tools Free
135. Nsa Hack Tools
136. Pentest Tools Apk
137. Hacking Tools Software
138. Pentest Reporting Tools
139. Hacking Tools Download
140. Hacker Tools Apk Download
141. Pentest Tools Nmap
142. Hacking Tools Software
143. Hacking Tools
144. Nsa Hacker Tools
145. Hacking Apps
146. Easy Hack Tools
147. Best Pentesting Tools 2018
148. Hacker Hardware Tools
149. Pentest Tools Open Source
150. Pentest Recon Tools
151. Hacking Tools For Windows 7
152. Pentest Tools Github