Sophos researchers Gabor Szappanos and Sean Gallagher reported that ,” These SEO efforts which combined Google Groups discussions with deceptive web pages and PDF documents hosted on compromised websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted.”
The operators of the SolarMarker information stealer and backdoor have been discovered using different ways to create long-term persistence on compromised computers, indicating that threat actors are constantly changing tactics and updating their defensive mechanisms.
Despite the campaign’s drop in November 2021, the remote access implants are still being identified on targeted networks. The.NET-based virus has been linked to at least three different attack waves in 2021, boasting information harvesting and backdoor capabilities.
SolarMarker starts by leading users to decoy sites that drop MSI installer payloads, which installing seemingly legal apps like Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also run a PowerShell script to deliver the virus.
The PowerShell installer modifies the Windows Registry and drops a.LNK file into Windows’ starting directory. This unlawful alteration causes the malware to be loaded from an encrypted payload concealed behind a “smokescreen” of 100 to 300 garbage files built particularly for this purpose.
The researchers explained that , “Normally, one would expect this linked file to be an executable or script file.” “However, the linked file for these SolarMarker campaigns is one of the random trash files, therefore so cannot be performed by itself “.
The backdoor is constantly growing with features that allow it to steal information from web browsers, facilitate bitcoin theft, and run arbitrary instructions and programmes with the results being sent to a remote server.
Finally the researchers concluded that ,” This was web shells for ProxyLogon, and this is a covert and persistent backdoor for SolarMarker that is still operational months after the campaign stopped. Another important conclusion is that defenders should always examine whether attackers have left anything behind in the network that they can return to later “.