In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy Windows Registry tricks to establish long-term persistence on compromised systems.
Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021.
Boasting of information harvesting and backdoor capabilities, the .NET-based malware has been linked to at least three different attack waves in 2021. The first set, reported in April, took advantage of search engine poisoning techniques to trick business professionals into visiting sketchy Google sites that installed SolarMarker on the victim's machines.
Then in August, the malware was observed targeting healthcare and education sectors with the goal of gathering credentials and sensitive information. Subsequent infection chains documented by Morphisec in September 2021 highlighted the use of MSI installers to ensure the delivery of the malware.
The SolarMarker modus operandi commences with redirecting victims to decoy sites that drop the MSI installer payloads, which, while executing seemingly legitimate install programs such as Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also launches a PowerShell script to deploy the malware.
"These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted," Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with The Hacker News.
The PowerShell installer is designed to alter the Windows Registry and drop a .LNK file into Windows' startup directory to establish persistence. This unauthorized change results in the malware getting loaded from an encrypted payload hidden amongst what the researchers called a "smokescreen" of 100 to 300 junk files created specifically for this purpose.
"Normally, one would expect this linked file to be an executable or script file," the researchers detailed. "But for these SolarMarker campaigns the linked file is one of the random junk files, and cannot be executed itself."
What's more, the unique and random file extension used for the linked junk file is utilized to create a custom file type key, which is ultimately employed to execute the malware during system startup by running a PowerShell command from the Registry.
The backdoor, for its part, is ever-evolving, featuring an array of functionalities that allow it to steal information from web browsers, facilitate cryptocurrency theft, and execute arbitrary commands and binaries, the results of which are exfiltrated back to a remote server.
"Another important takeaway […], which was also seen in the ProxyLogon vulnerabilities targeting Exchange servers, is that defenders should always check whether attackers have left something behind in the network that they can return to later," Gallagher said. "For ProxyLogon this was web shells, for SolarMarker this is a stealthy and persistent backdoor that according to Sophos telematics is still active months after the campaign ended."
More articles- Pentest Tools Framework
- Hackers Toolbox
- Pentest Tools Apk
- Tools For Hacker
- Hacking App
- Hack And Tools
- Best Pentesting Tools 2018
- Best Hacking Tools 2020
- Black Hat Hacker Tools
- What Are Hacking Tools
- New Hack Tools
- Pentest Tools Windows
- Hacker Tools Online
- Hacker Tools Github
- Hacking Tools Free Download
- Computer Hacker
- Computer Hacker
- Hacking App
- Pentest Recon Tools
- Nsa Hack Tools Download
- Hack Tools For Games
- What Are Hacking Tools
- Hacker Tools For Windows
- Hacker Tools Github
- Underground Hacker Sites
- Pentest Tools Framework
- Hacking Tools For Beginners
- Blackhat Hacker Tools
- Hack Tools Pc
- Hacker Tools
- New Hack Tools
- Nsa Hack Tools
- Hacker
- Hacker Tools For Ios
- Hack Tools
- Hacking Tools Software
- Hacker Tools 2019
- Hacking Tools For Games
- Nsa Hack Tools
- Hacking Tools For Beginners
- Pentest Tools List
- Tools For Hacker
- Hacker Tool Kit
- Hackrf Tools
- Nsa Hack Tools Download
- Best Pentesting Tools 2018
- Hacking Tools Online
- Hack Tools For Mac
- Best Hacking Tools 2019
- Hacker Tools Free Download
- Hack Tools Download
- Hacker Tools Windows
- Pentest Recon Tools
- Game Hacking
- Pentest Tools Nmap
- Usb Pentest Tools
- Hack Tools For Pc
- Hacking Tools Mac
- Hack Tools Pc
- Hacking Tools For Windows 7
- Underground Hacker Sites
- Hacker Tools For Ios
- Top Pentest Tools
- Hacking Tools Mac
- Hacking Tools Download
- What Are Hacking Tools
- Pentest Tools Free
- Hacker Tools 2020
- Pentest Tools For Ubuntu
- Hacking Tools For Mac
- Hak5 Tools
- Hacker Tools Software
- Hacker Tools 2020
- Tools Used For Hacking
- World No 1 Hacker Software
- Hacking Tools Software
- Hacker Tools Online
- Best Hacking Tools 2020
- Hacking Tools For Games
- Pentest Tools For Mac
- Hack Apps
- Hacker Techniques Tools And Incident Handling
- Hacker Hardware Tools
- Pentest Tools For Mac
- Pentest Recon Tools
- Beginner Hacker Tools
- Hacking Tools
- Hacking Tools For Mac
- Hacker Tools 2020
- Hacker Tools Free
- Best Hacking Tools 2019
- Hacking App
- Pentest Tools List
- Hacking Tools Usb
- Hacks And Tools
- Bluetooth Hacking Tools Kali
- Hack Tools For Pc
- Hacking Tools Pc
- Hackrf Tools
- Hacking Tools Free Download
- Pentest Box Tools Download
- Ethical Hacker Tools
- Hacker Tools Free
- Hack Tool Apk No Root
- Pentest Tools For Android
- Hacker Tools For Pc
- Hacking Tools Github
- Hacking Tools For Windows 7
- Easy Hack Tools
- Hack Tools Online
- Hacker Techniques Tools And Incident Handling
- Termux Hacking Tools 2019
- Kik Hack Tools
- Install Pentest Tools Ubuntu
- Physical Pentest Tools
- Hacker Tools Hardware
- Pentest Tools
- Hacking Tools Online
- Hack Tools
- Hackers Toolbox
- Hacker Tools
- Hacking Tools Online
- Termux Hacking Tools 2019
- Hacker Tools 2020
- Hack App
- Pentest Tools For Windows
- Pentest Tools Free
- Blackhat Hacker Tools
- Pentest Tools Windows
- Hacker Security Tools
- Easy Hack Tools
- Tools For Hacker
- What Is Hacking Tools
- Hack And Tools
- Hacker Tools For Pc
- Hackrf Tools
- Best Pentesting Tools 2018
- Hack Tools For Ubuntu
- Hacker Tools For Mac
- Beginner Hacker Tools
- Beginner Hacker Tools
- Hacker Tools Free Download
No comments:
Post a Comment