Solarmarker Malware Uses Novel Techniques to Remain alive on Hacked Systems
Short News:-
Operators of SolarMarker are employing a variety of stealthy techniques to maintain long-term access to compromised systems. Remote access implants are still being detected on targeted networks, according to cybersecurity firm Sophos. There are at least three distinct outbreaks of.NET-based malware that has been linked to attacks in 2021. The SolarMarker malware is a "stealthy and persistent backdoor" that remains active months after a campaign ends. Persistence is built into the Windows installer by altering the Windows Registry and putting a.LNK file in Windows' startup directory. Researchers were able to load the malware from an encrypted payload.
Detailed News:-
For the first time, researchers have discovered that the operators of the SolarMarker backdoor and information thief are employing a variety of stealthy techniques to maintain long-term access to compromised systems.
However, despite the campaign's apparent decline since its peak in November 2021, the remote access implants are still being detected on targeted networks, according to cybersecurity firm Sophos, which discovered the new behavior.
There are at least three distinct outbreaks of.NET-based malware that has been linked to at least three separate attacks in 2021. Search engine poisoning techniques were used to trick business professionals into visiting shady Google sites that installed SolarMarker on their computers in April, according to a report at the time.
In August, the malware was discovered targeting healthcare and educational institutions with the goal of obtaining credentials and other sensitive data. The use of MSI installers to ensure malware delivery was highlighted in subsequent infection chains by Morphisec in September 2021.
When victims are redirected to decoy sites, the MSI installer payloads are dropped, which while executing seemingly legitimate install programs like Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also launches a PowerShell script to deploy the malware. SolarMarker
Researchers from Sophos said in a report shared with the public that the SolarMarker lures were often at or near the top of search results for phrases the SolarMarker actors targeted thanks to SEO efforts that combined Google Groups discussions with deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites.
Persistence is built into the PowerShell installer by altering the Windows Registry and putting a.LNK file in Windows' startup directory. Using a "smokescreen" of 100 to 300 junk files specifically created for this purpose, researchers were able to load the malware from an encrypted payload.
The researchers explained that "normally one would expect this linked file to be an executable or script file." SolarMarker campaigns, on the other hand, use a link to a un executable junk file."
An additional feature of this malware is that it uses the junk file's random file extension to create a custom file type key, which is then used to run the malware during system startup via a PowerShell command from the Registry.
There are a variety of backdoor features that allow it to steal data from web browsers and cryptocurrency wallets, as well as run arbitrary commands and binaries on a compromised computer and transmit the results of those actions back to a remote server in the wild.
There are a number of important lessons to be learned from the ProxyLogon vulnerabilities that targeted Exchange servers, and one of them is that "defenders should always check whether attackers have left something behind in the network that they can return to later," Gallagher said. A "stealthy and persistent backdoor that according to Sophos Telematics remains active months after the campaign ended" is what ProxyLogon had to deal with.
Post a Comment
Your suggestions and comments are welcome