The SolarMarker data thief and gateway operators have been identified using devious Windows Registry ways to maintain long-term persistence on infected systems, indicating that the malicious actors are constantly changing strategy and improving defensive mechanisms.
The. NET-based malware, which boasts data harvesting and backdoor capabilities, has been linked to at least three consecutive attack waves in 2021. The first batch revealed in April, employed search engine poisoning to trick business executives by visiting dodgy Google pages which downloaded SolarMarker on users' PCs. In August, the malware was discovered to be stealing accounts and sensitive information from the healthcare and education sectors.
In the following infection chains revealed by Morphisec in September 2021, the usage of MSI installers to assure malware dissemination was observed. SolarMarker's technique begins with users being directed to decoy sites with drop MSI installer payloads which, while downloading ostensibly legitimate software like Adobe Acrobat Pro DC, Nitro Pro, or Wondershare PDFelement, really launch a PowerShell script.
According to cybersecurity firm Sophos, which noticed the new behavior, despite the operation's end in November 2021, remote management implants are still located on targeted networks."Such SEO efforts, which blended Google Groups consultations with deceitful web pages and PDF documents hosted on infected sites, are beneficial, the SolarMarker lures were ordinarily at or near the top of the search engines for phrases the SolarMarker actors targeted," said Sophos researchers Gabor Szappanos and Sean Gallagher.
To assure persistence, the PowerShell installer modifies the Registry Entries and drops a.LNK file into Windows' starting directory. This unlawful alteration causes the malware to be delivered from an encrypted payload concealed behind a "smokescreen" of 100 to 300 garbage files built particularly for this purpose.
The researchers explained, "Usually, one might assume this associated file to be an operable or script file." "However, the linked file for these SolarMarker operations is one of the random trash files, therefore cannot be performed by itself."
Furthermore, the linked junk file's unique and random file extension is used to build a custom file type key, which is then used to run an Executable from the Registry to run the malware during system startup. The backdoor, on the other hand, is constantly growing, with features that allow it to capture information from online browsers, facilitate bitcoin theft, and run arbitrary instructions and programs, with the results being sent to a remote server.
The backdoor is continually being updated with new capabilities that make it possible to steal data from the web browsers, ease bitcoin theft, and execute arbitrary commands and applications with the results related to a remote server.
