Last Updated on 03/02/2022 by Nidhi Khandelwal
The operators of the SolarMarker information stealer and backdoor have been discovered using subtle ways to create long-term persistence on compromised computers, indicating that threat actors are constantly changing tactics and updating their defensive mechanisms.
Despite the campaign’s drop in November 2021, the remote access implants are still being identified on targeted networks, according to cybersecurity firm Sophos, which spotted the new behavior.
The.NET-based virus has been linked to at least three different attack waves in 2021, boasting information harvesting and backdoor capabilities. The first batch, which was disclosed in April, used search engine poisoning techniques to dupe business professionals into visiting dubious Google sites that installed SolarMarker on their computers.
The malware was then discovered to be targeting the healthcare and education sectors in August, with the purpose of stealing credentials and sensitive information. The usage of MSI installers to assure the delivery of the virus was noted in subsequent infection chains published by Morphisec in September 2021.
SolarMarker starts by leading users to decoy sites that drop MSI installer payloads, which, while installing seemingly legal apps like Adobe Acrobat Pro DC, Wondershare PDFelement, or Nitro Pro, also run a PowerShell script to deliver the virus.
To ensure persistence, the PowerShell installer modifies the Windows Registry and drops a.LNK file into Windows’ starting directory. This unlawful alteration causes the malware to be loaded from an encrypted payload concealed behind a “smokescreen” of 100 to 300 garbage files built particularly for this purpose, according to the researchers.