SolarMarker Malware Uses Novel Techniques To Persist On Hacked Systems

 In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems.

Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021.

Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set, reported in April, took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines.

Then in August, the malware was observed targeting healthcare and education sectors with the goal of gathering credentials and sensitive information. Subsequent infection chains documented by Morphisec in September 2021 highlighted the use of MSI installers to ensure the delivery of the malware.

The SolarMarker modus operandi commences with redirecting victims to decoy sites that drop the MSI installer payloads, which, while executing seemingly legitimate install programs such as Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also launches a PowerShell script to deploy the malware.

"These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted," Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with The Hacker News.

The PowerShell installer is designed to alter the Windows Registry and drop a .LNK file into Windows' startup directory to establish persistence. This unauthorized change results in the malware getting loaded from an encrypted payload hidden amongst what the researchers called a "smokescreen" of 100 to 300 junk files created specifically for this purpose.

"Normally, one would expect this linked file to be an executable or script file," the researchers detailed. "But for these SolarMarker campaigns the linked file is one of the random junk files, and cannot be executed itself."

What's more, the unique and random file extension used for the linked junk file is utilized to create a custom file type key, which is ultimately employed to execute the malware during system startup by running a PowerShell command from the Registry.

The backdoor, for its part, is ever-evolving, featuring an array of functionalities that allow it to steal information from web browsers, facilitate cryptocurrency theft, and execute arbitrary commands and binaries, the results of which are exfiltrated back to a remote server.

"Another important takeaway […], which was also seen in the ProxyLogon vulnerabilities targeting Exchange servers, is that defenders should always check whether attackers have left something behind in the network that they can return to later," Gallagher said. "For ProxyLogon this was web shells, for SolarMarker this is a stealthy and persistent backdoor that according to Sophos telematics is still active months after the campaign ended."

More articles

1. Hacker Tools Linux
2. Hack Tools Github
3. Hacker Tools Windows
4. Hack Tools Mac
5. Pentest Tools Url Fuzzer
6. Hacker Tools 2019
7. Pentest Tools Review
8. Pentest Tools Online
9. Hacker Tools Free Download
10. Pentest Tools List
11. Hacking Tools For Mac
12. Pentest Tools Bluekeep
13. Hacking Tools For Windows Free Download
14. Growth Hacker Tools
15. Android Hack Tools Github
16. Nsa Hack Tools
17. Pentest Tools Website Vulnerability
18. Pentest Tools
19. Hack Tools For Mac
20. Hacker Tools Linux
21. Android Hack Tools Github
22. Pentest Tools
23. Hack Tools Pc
24. Hack Tools For Pc
25. Pentest Tools Subdomain
26. Pentest Tools Linux
27. Hack Tool Apk No Root
28. Hacker Tools
29. Pentest Tools List
30. Hack Rom Tools
31. Pentest Automation Tools
32. Pentest Tools
33. Hacker Tools Mac
34. Nsa Hacker Tools
35. Hacking Tools For Windows 7
36. Tools For Hacker
37. Hacking Tools 2019
38. Computer Hacker
39. Hak5 Tools
40. Hack Tool Apk No Root
41. Pentest Tools For Windows
42. Hacker Tools Linux
43. Hack Tools For Mac
44. Computer Hacker
45. Pentest Tools Framework
46. Hack Tools For Mac
47. Hack Tools Online
48. Hacker Tools Hardware
49. Hacker Tool Kit
50. Hacker Tools
51. Pentest Recon Tools
52. Hack Tools Github
53. Hack Apps
54. Easy Hack Tools
55. Pentest Box Tools Download
56. Github Hacking Tools
57. Hack Tools
58. Hack Tool Apk No Root
59. Hack Rom Tools
60. Hacking Tools Free Download
61. Android Hack Tools Github
62. Hacking Tools For Kali Linux
63. Termux Hacking Tools 2019
64. Hack Tools For Windows
65. Best Hacking Tools 2019
66. How To Make Hacking Tools
67. Pentest Tools Free
68. Hacker
69. Hacker Tools For Ios
70. Hack Tools Mac
71. Growth Hacker Tools
72. Nsa Hack Tools
73. Hacker Hardware Tools
74. Hacker Tools Apk Download
75. Hack Tools Mac
76. Pentest Tools Website Vulnerability
77. Ethical Hacker Tools
78. Hack Tools Download
79. Hack Tools Download
80. Hacker Tools Apk Download
81. Hacker Tools For Windows
82. Pentest Tools Framework
83. How To Make Hacking Tools
84. Hacker Techniques Tools And Incident Handling
85. Hacking Tools For Windows Free Download
86. Hacking Tools For Windows
87. Pentest Tools Online
88. World No 1 Hacker Software
89. Pentest Tools Free
90. Pentest Tools For Windows
91. Hacks And Tools
92. Pentest Recon Tools
93. Hacking Tools For Windows 7
94. Pentest Tools Tcp Port Scanner
95. Pentest Tools For Ubuntu
96. Physical Pentest Tools
97. Hack Apps
98. Hacker Tool Kit
99. Wifi Hacker Tools For Windows
100. Hackers Toolbox
101. Hack And Tools
102. Pentest Tools Windows
103. Hacking Tools 2019
104. Hacker Tools Free
105. Hack Apps
106. Pentest Tools Linux
107. Hacker Tools 2019
108. Hacker Hardware Tools
109. What Are Hacking Tools
110. Hack Tools
111. Tools 4 Hack
112. Hacking Tools Download
113. Pentest Tools Open Source
114. Pentest Tools Nmap
115. Hackrf Tools
116. Hack Tools 2019
117. Pentest Tools Open Source
118. Nsa Hack Tools
119. Hacker Tools Apk Download
120. Pentest Tools Port Scanner
121. Kik Hack Tools
122. Hack Tools 2019
123. Pentest Tools Bluekeep
124. Hack Tools
125. Hacking Tools And Software
126. Hacking Tools For Pc
127. Hacking Tools Software
128. Nsa Hacker Tools
129. Pentest Tools Download
130. Hak5 Tools
131. Hack Website Online Tool
132. Beginner Hacker Tools
133. Physical Pentest Tools
134. Hacker Tools For Windows
135. Hacker Search Tools
136. Pentest Tools For Android
137. Hacking Tools For Games
138. Hacker Tools Apk Download
139. Hacker Tools Online
140. Hack Tools 2019
141. Free Pentest Tools For Windows
142. Hack Tools Download
143. Black Hat Hacker Tools