• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
solarmarker malware uses novel techniques to persist on hacked systems

Solarmarker Malware Uses Novel Techniques to Persist on Hacked Systems

You are here: Home / General Cyber Security News / Solarmarker Malware Uses Novel Techniques to Persist on Hacked Systems
February 1, 2022

In a sign that danger actors constantly shift ways and update their defensive measures, the operators of the SolarMarker facts stealer and backdoor have been located leveraging stealthy tricks to set up extended-expression persistence on compromised techniques.

Cybersecurity organization Sophos, which spotted the new conduct, explained that the remote accessibility implants are even now being detected on targeted networks even with the marketing campaign witnessing a decrease in November 2021.

Boasting of details harvesting and backdoor abilities, the .NET-based malware has been connected to at minimum three distinct attack waves in 2021. The 1st established, claimed in April, took advantage of search engine poisoning methods to trick business gurus into visiting sketchy Google web-sites that installed SolarMarker on the victim’s equipment.

✔ Approved Seller From Our Partners
Malwarebytes Premium 2022

Protect yourself against all threads using Malwarebytes. Get Malwarebytes Premium with 60% discount from a Malwarebytes official seller SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Automatic GitHub Backups

Then in August, the malware was noticed concentrating on health care and education and learning sectors with the goal of accumulating credentials and delicate facts. Subsequent infection chains documented by Morphisec in September 2021 highlighted the use of MSI installers to be certain the supply of the malware.

The SolarMarker modus operandi commences with redirecting victims to decoy websites that fall the MSI installer payloads, which, even though executing seemingly legit set up courses such as Adobe Acrobat Pro DC, Wondershare PDFelement or Nitro Pro, also launches a PowerShell script to deploy the malware.

Solarmarker Malware

“These Search engine optimisation efforts, which leveraged a combination of Google Teams discussions and deceptive web web pages and PDF files hosted on compromised (usually WordPress) web sites, were so productive that the SolarMarker lures had been ordinarily at or around the best of research final results for phrases the SolarMarker actors targeted,” Sophos researchers Gabor Szappanos and Sean Gallagher explained in a report shared with The Hacker News.

The PowerShell installer is intended to alter the Windows Registry and fall a .LNK file into Windows’ startup directory to set up persistence. This unauthorized modify outcomes in the malware receiving loaded from an encrypted payload hidden amongst what the researchers identified as a “smokescreen” of 100 to 300 junk data files made especially for this objective.

“Typically, one particular would expect this joined file to be an executable or script file,” the scientists comprehensive. “But for these SolarMarker strategies the linked file is a single of the random junk data files, and can not be executed itself.

Prevent Data Breaches

What is actually extra, the one of a kind and random file extension utilised for the connected junk file is used to make a personalized file variety essential, which is ultimately used to execute the malware throughout method startup by jogging a PowerShell command from the Registry.

The backdoor, for its element, is at any time-evolving, featuring an array of functionalities that permit it to steal details from web browsers, aid cryptocurrency theft, and execute arbitrary commands and binaries, the benefits of which are exfiltrated again to a distant server.

“Yet another vital takeaway […], which was also seen in the ProxyLogon vulnerabilities targeting Trade servers, is that defenders must always examine no matter whether attackers have left one thing at the rear of in the network that they can return to later,” Gallagher claimed. “For ProxyLogon this was web shells, for SolarMarker this is a stealthy and persistent backdoor that according to Sophos telematics is nonetheless active months right after the marketing campaign finished.”

Located this short article intriguing? Comply with THN on Fb, Twitter  and LinkedIn to read a lot more exceptional written content we put up.


Some components of this write-up are sourced from:
thehackernews.com

Previous Post: «qnap ransomware victims dealt double blow as firmware update hampers QNAP ransomware victims dealt double blow as firmware update hampers decryption
Next Post: Picus Security joins the Microsoft Intelligent Security Association picus security joins the microsoft intelligent security association»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Ugandan Writers Charged with Cyber Stalking President
  • Russian Hackers Allegedly Compromise Ukrainian News Sites, Displaying ‘Z’ Symbol
  • A Third of Malicious Logins Originate in Nigeria
  • Open source dev attacked for spreading data-wiping ‘protestware’
  • Sandworm APT Hunts for ASUS Routers with Cyclops Blink Botnet
  • Arkansas Sues Health System for Abandoning Patient Files
  • Netflix to Charge Password Sharers
  • Hackers Target Bank Networks with new Rootkit to Steal Money from ATM Machines
  • Google Blows Lid Off Conti, Diavol Ransomware Access-Broker Ops
  • Experts Find Some Affiliates of BlackMatter Now Spreading BlackCat Ransomware

Copyright © TheCyberSecurity.News, All Rights Reserved.