An improved version of the SolarMarker malware has been described in detail by researchers. Improvements have been made, as well as new defence evasion strategies for remaining undetected. SolarMarker is a trojan that has multiple stages. To deploy their attack and remain undetected, the attackers employ disguised PowerShell scripts.
SolarMarker’s major infection vector is SEO poisoning, which is an attack strategy in which threat actors develop malicious websites that are densely packed with keywords and employ search engine optimization techniques to boost their visibility in search results.
What has happened?
Palo Alto Networks Unit 42 researchers issued a thorough technical report on a recent campaign. SolarMarker operators were seen exploiting sneaky Windows Registry methods to obtain long-term persistence on infected devices. They also stayed undiscovered by using signed files, obfuscated PowerShell scripts, huge files, and imitation of legitimate software installers.
The infection chains
To increase their rating in search results, the infection chain employed a 250MB.exe file for PDF readers and utilities housed on phoney websites crammed with keywords and SEO poisoning strategies. The early-stage dropper can avoid automatic examination by antivirus engines due to the enormous file size of the.exe. To escape suspicion, it also downloads and instals a legitimate software.
Parallel to its execution, the virus runs a PowerShell installer to install and run additional SolarMarker components. To carry out various actions, the campaign deployed two SolarMarker components: a backdoor and an infostealer.
Main Sections of the PowerShell Script
showWindowAsync hides PowerShell windows to keep malicious behaviour concealed from users’ eyes.
Writes the SolarMarker backdoor’s encrypted base64 payload to a file with a random extension in the TEMP folder. The lnk file in the starting folder is used to achieve persistence. The lnk’s target file is the SolarMarker backdoor’s encrypted base64 payload with the random extension. (You cannot run this file directly.)
Every file extension in a Windows system is connected with default software. The registry manages the associations between extensions and programmes. To run the encrypted payload, SolarMarker adds a handler to the custom random extension. This handler is a PowerShell script that decrypts the payload (backdoor) and puts the bytes into memory.
The backdoor and infostealer
Internal reconnaissance, system metadata collection, and uploading to a remote server over an encrypted channel are all capabilities of the SolarMarker backdoor.
The backdoor implant also deploys SolarMarker’s information-stealing module on the victim’s system. Web browsers can be used to steal autofill data, passwords, cookies, and credit card information.
Conclusion
The attackers behind the SolarMarker campaign have gone to great lengths to remain undetected. As a result, enterprises should keep up with the newest innovations in threat tactics and strategies. This may make it possible to implement more effective countermeasures in the face of such dangers.
Source: https://cyware.com/news/new-solarmarker-variant-with-improved-evasion-tactics-34dd61ca
