SolarMarker Malware Uses Novel Techniques To Persist On Hacked Systems

 In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems.

Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021.

Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set, reported in April, took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines.

Then in August, the malware was observed targeting healthcare and education sectors with the goal of gathering credentials and sensitive information. Subsequent infection chains documented by Morphisec in September 2021 highlighted the use of MSI installers to ensure the delivery of the malware.

The SolarMarker modus operandi commences with redirecting victims to decoy sites that drop the MSI installer payloads, which, while executing seemingly legitimate install programs such as Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also launches a PowerShell script to deploy the malware.

"These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted," Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with The Hacker News.

The PowerShell installer is designed to alter the Windows Registry and drop a .LNK file into Windows' startup directory to establish persistence. This unauthorized change results in the malware getting loaded from an encrypted payload hidden amongst what the researchers called a "smokescreen" of 100 to 300 junk files created specifically for this purpose.

"Normally, one would expect this linked file to be an executable or script file," the researchers detailed. "But for these SolarMarker campaigns the linked file is one of the random junk files, and cannot be executed itself."

What's more, the unique and random file extension used for the linked junk file is utilized to create a custom file type key, which is ultimately employed to execute the malware during system startup by running a PowerShell command from the Registry.

The backdoor, for its part, is ever-evolving, featuring an array of functionalities that allow it to steal information from web browsers, facilitate cryptocurrency theft, and execute arbitrary commands and binaries, the results of which are exfiltrated back to a remote server.

"Another important takeaway […], which was also seen in the ProxyLogon vulnerabilities targeting Exchange servers, is that defenders should always check whether attackers have left something behind in the network that they can return to later," Gallagher said. "For ProxyLogon this was web shells, for SolarMarker this is a stealthy and persistent backdoor that according to Sophos telematics is still active months after the campaign ended."

Related word

1. Hacking Tools For Beginners
2. Nsa Hack Tools Download
3. How To Make Hacking Tools
4. Pentest Tools Find Subdomains
5. Hacking Tools For Windows
6. Hacker Tools Mac
7. Hacker Tools Windows
8. Hacks And Tools
9. Pentest Tools Free
10. Hacker Tools Software
11. Hacking Tools Hardware
12. Hackrf Tools
13. Hacker Tools For Ios
14. Hacking Tools Software
15. Hacking Tools For Beginners
16. Pentest Tools Linux
17. Ethical Hacker Tools
18. How To Make Hacking Tools
19. Pentest Tools For Ubuntu
20. Tools Used For Hacking
21. Hacking Tools For Mac
22. Hacker Tools For Ios
23. Pentest Tools Website
24. Hacking Tools Online
25. Pentest Tools Url Fuzzer
26. Hacking Tools Usb
27. Hack Tools Pc
28. Hackrf Tools
29. Hacking Tools For Windows 7
30. Hacking Tools For Kali Linux
31. Hacker Tools Linux
32. Hacker Techniques Tools And Incident Handling
33. Hack Rom Tools
34. Hacking Tools For Windows 7
35. Hacker Tools Online
36. Hacking Tools Free Download
37. Hack Tool Apk
38. Hacker Search Tools
39. Hacking Tools Kit
40. Hacking Tools Software
41. Hacking Tools Github
42. Hacking Tools Software
43. Pentest Tools Nmap
44. Pentest Recon Tools
45. Game Hacking
46. Underground Hacker Sites
47. Nsa Hack Tools
48. Tools For Hacker
49. World No 1 Hacker Software
50. Hacker Techniques Tools And Incident Handling
51. Hacker Tools For Pc
52. Wifi Hacker Tools For Windows
53. Nsa Hack Tools Download
54. Best Hacking Tools 2019
55. Hacker Tools 2019
56. Pentest Tools Tcp Port Scanner
57. Pentest Tools Online
58. Hacking Tools Download
59. Pentest Tools Bluekeep
60. Blackhat Hacker Tools
61. Pentest Recon Tools
62. Hacking Tools Usb
63. Hacker Tools Apk
64. Hack Tools For Mac
65. How To Make Hacking Tools
66. Hacking Tools For Mac
67. Hackrf Tools
68. Pentest Tools For Mac
69. Hacking Tools Name
70. Pentest Tools For Mac
71. Hackrf Tools
72. New Hacker Tools
73. Best Pentesting Tools 2018
74. Pentest Tools Nmap
75. Hack Tools For Windows
76. Hacking Tools Windows 10
77. Pentest Tools Subdomain
78. Hacker Tools Linux
79. Hack And Tools
80. Blackhat Hacker Tools
81. Hacking Tools Name
82. Hack Tools Download
83. Hacker Tools Github
84. Hacking Tools For Games
85. Pentest Automation Tools
86. Hack Tools Pc
87. Hack Tools
88. Pentest Tools Download
89. Install Pentest Tools Ubuntu
90. Hacker Tools For Windows
91. Pentest Reporting Tools
92. Hacking Tools For Beginners
93. Kik Hack Tools
94. Hacker Tools For Mac
95. Hacker Tools List
96. Tools 4 Hack
97. Install Pentest Tools Ubuntu
98. Hacker Tools 2019
99. Hacker Tool Kit
100. Hacker Tools List
101. Pentest Tools Url Fuzzer
102. Pentest Tools For Ubuntu
103. Pentest Tools Nmap
104. Pentest Tools For Ubuntu
105. Hacker Hardware Tools
106. Hacker Tools For Windows
107. Pentest Tools Nmap
108. Android Hack Tools Github
109. Hack Tools 2019
110. Hacks And Tools
111. Kik Hack Tools
112. Hacking Tools Windows 10
113. New Hacker Tools
114. How To Hack
115. Hack Tools
116. Hack Tools For Games
117. Best Pentesting Tools 2018
118. Hacker Security Tools
119. Hack Website Online Tool
120. Hack App
121. Hacker Tools
122. Pentest Tools Windows
123. Hacker Tools Free
124. Hacker Security Tools
125. Hacker Tools
126. Growth Hacker Tools
127. Hacker Tools Free Download
128. Hack Website Online Tool
129. Pentest Tools For Windows
130. Pentest Tools For Mac
131. Hacks And Tools
132. What Are Hacking Tools
133. Hack App
134. Hacker
135. Underground Hacker Sites
136. Underground Hacker Sites
137. Hacker Tools 2019
138. Hacking Tools Kit
139. Hacker Tools 2019
140. Hacking Tools And Software
141. Hacker Tools Software
142. Hacker Tools For Ios
143. Hack Rom Tools
144. Growth Hacker Tools
145. Free Pentest Tools For Windows
146. What Are Hacking Tools
147. Hacking Tools Free Download
148. Pentest Tools Apk
149. New Hack Tools
150. Hacker Techniques Tools And Incident Handling
151. Hacking Tools Free Download
152. Hack Tools For Games
153. Pentest Tools Find Subdomains
154. Termux Hacking Tools 2019
155. Hack Tools Download
156. Physical Pentest Tools
157. Pentest Tools Tcp Port Scanner
158. How To Make Hacking Tools
159. Hacker Tools For Mac
160. Black Hat Hacker Tools
161. How To Hack
162. Hacking Tools And Software
163. Pentest Tools Website
164. Hacking Tools 2020
165. Hacking Tools Windows 10
166. Hacking Tools Kit
167. Hacking Tools For Windows Free Download
168. Hacker Tools For Mac
169. Pentest Tools For Windows
170. Tools Used For Hacking
171. New Hack Tools
172. Pentest Tools Apk
173. Pentest Recon Tools
174. Pentest Tools Github
175. Nsa Hacker Tools
176. Pentest Tools Apk
177. Hacking Tools For Windows