The SolarMarker information stealer and backdoor operators have been discovered using sneaky Windows Registry methods to create long-term persistence on compromised devices, hinting that threat actors are consistently changing tactics and updating their defensive tools. Despite the operation’s drop in November 2021, the remote access implants are still found on targeted networks, according to cybersecurity company Sophos, which spotted the new behavior.
The .NET-based malware has been connected to at least three separate attack waves in 2021, boasting information harvesting and backdoor capabilities. The first set, disclosed in April, used search engine poisoning tactics to dupe business professionals into visiting dubious Google pages that installed SolarMarker on their computers. The malware was then discovered to be targeting the healthcare and education sectors in August to steal credentials and sensitive information.
The use of MSI installers to ensure the malware distribution was noted in subsequent infection chains published by Morphisec in September 2021. SolarMarker’s method starts with leading users to decoy sites that drop MSI installer payloads, which, while installing seemingly genuine apps like Adobe Acrobat Pro DC, Nitro Pro, or Wondershare PDFelement, actually run a PowerShell script to distribute the malware.
“These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted,” as said by Sophos researchers Gabor Szappanos and Sean Gallagher.
The PowerShell installer modifies the Windows Registry and drops a .LNK file into Windows’ starting directory to ensure persistence. According to the researchers, this unlawful alteration causes the malware to be loaded from an encrypted payload concealed behind a “smokescreen” of 100 to 300 junk files built particularly for this purpose.
Furthermore, the connected junk file’s unique and random file extension is used to build a custom file type key, which is then used to launch a PowerShell command from the Registry to execute the malware upon system startup. On the other hand, the backdoor is constantly growing, with features that allow it to steal information from web browsers, aid bitcoin theft, and run arbitrary instructions and programs. The results are sent to a remote server.