Threat actors regularly work on their attack strategy and defence measures to beat the protective measures. Solarmaker information stealer and backdoor operators have been using stealthy Windows Registry tricks to set up a deep and permanent connection with compromised systems. 

Sophos, a cybersecurity firm, observed the new pattern and remarked that remote access malware is still found on targeted networks despite the attacks trailing off in November 2021.

The .NET-based malware that can harvest information and has backdoor capabilities has been tracked to three separate attack waves in 2021. In April, the first wave was reported, and the first wave consisted search engine poisoning techniques that deceived business professionals and led them to shady Google sites. These sites got SolarMaker installed on the victim’s machines. 

Also read,

In August, the malware was targeting healthcare and education sectors for collecting credentials and sensitive information. Morpghisec assessed later infection chains and pointed out that MSI was used to implant malware.

The SolarMarker method initiates with redirecting victims to malicious websites that implant the MSI installer payloads. The websites under the garb of installing legitimate programs such as Adobe Acrobat Pro Dc, Wondershare PDFelement, or Nitro Pro installs a PowerShell script to drop the malware.

“These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted,” Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with The Hacker News.

The PowerShell installer modifies the Windows Registry and plants a .LNK file into Windows’ startup directory to set up a permanent connection. The unauthorized change lead to malware getting installed from an encrypted payload concealed amid the—researchers call— “smokescreen” of 100 to 300 garbage files created specifically for it.

Normally, one would expect this linked file to be an executable or script file,” the researchers detailed. “But for these SolarMarker campaigns, the linked file is one of the random junk files, and cannot be executed itself.”