As part of a novel strategy in its watering-hole attacks, the SolarMarker attack organization is encouraging victims to download phoney Chrome browser updates by attacking a WordPress-powered website.

Researchers have identified the hacking group utilizing SolarMarker attack malware, which uses phoney Chrome browser updates as part of watering hole attacks. The watering hole attacks a multinational tax consulting firm with operations in the US, Canada, the UK, and Europe.

It’s a fresh strategy for the gang, replacing spamdexing and search engine optimization (SEO) poisoning as its previous methods.

SolarMarker is a multistage piece of malware that can steal credit card numbers, passwords, and autofill information from victims’ web browsers.

Preparation for a Wider Attack?

The threat organization was reportedly observed taking use of flaws in a medical equipment manufacturer’s website. The website was created using the well-known open source content management system WordPress, according to an advisory released by eSentire’s Threat Response Unit (TRU) on Friday.

The victim, who worked for a tax consulting firm, used Google to look for the manufacturer by name.

According to the advice, “this misled the employee into downloading and executing SolarMarker, which was posed as a Chrome update.”

The notice further stated that “the phoney browser update overlay style is dependant on what browser the victim is using while accessing the infected website.” The user could also see a false Firefox or Edge update PHP page in addition to Chrome.

Given that the TRU team has only observed a single infection of this vector type and that previous SolarMarker attack used SEO poisoning to target people who looked online for free templates of well-known business documents and business forms, it is unclear whether the SolarMarker group is testing new strategies or getting ready for a larger campaign.

Monitor Endpoints, Raise Employee Awareness

The TRU advise offers four crucial actions that businesses should take to lessen the effects of these assaults, such as educating staff members about automatic browser updates and discouraging them from downloading files from dubious sources.

The alert claimed that “threat actors investigate the types of papers businesses look for and try to get in front of them with SEO.” Avoid free and bundled software and only download content from reputable sources on the internet.

The advice also suggested more threat-landscape monitoring to strengthen the organization’s overall security posture and more careful endpoint monitoring. The TRU notes will necessitate more regular rule updates to detect the most recent campaigns.

SolarMarker Campaigns Back After Dormant Period

The PowerShell installation for the.NET virus, which has information-gathering capabilities and a backdoor, was initially identified in 2020.

Sophos Labs discovered many active SolarMarker campaigns in October 2021 that shared a similar pattern: utilizing SEO strategies. The fraudsters could insert connections to websites that included Trojanized content in the search results of numerous search engines.

More than 2,000 different search phrases were used in a previous SolarMarker effort that Menlo Security discovered in October 2021 to direct users to websites. The websites ultimately dropped infected PDFs equipped with backdoors.