Threat actors related to SolarMarker strike with watering hole attacks as a new method of delivering malware rather than the previously used SEO poisoning method. In this new approach, they used fake Google Chrome updates to deliver malware to a global tax consulting firm in the United States, the United Kingdom, Europe and Canada.
An eSentire advisory claims that the attackers were observed using flaws in a WordPress-powered website for a medical equipment manufacturer.
The victim employee searched for the manufacturer and found the malicious website, which led them to download a fake Chrome update.
The attacker-made update overlay’s design changes depending on which browser the victim uses. “Besides Chrome, the user might also receive the fake Firefox or Edge update PHP page, which is hosted on hxxp://shortsaledamagereports[.]com.” the advisory noted.
About the Malware
The multistage malware SolarMarker is well-known for its ability to steal data and create backdoors. Its primary distribution method is search engine optimization (SEO) manipulation, also referred to as spamdexing. By convincing users to download malicious documents, SolarMarker can steal their browser data, including financial information and saved login credentials.
Campaigns from SolarMarker
The infostealer .NET malware was first identified in 2020. It spread via a Powershell installer.
Several SolarMarker campaigns were active in October 2021, and researchers saw commonality among them. The attackers used SEO strategies to bring trojanized websites forward in the search results. They made use of websites that offered free templates and business forms.
More than 2,000 different search phrases were used in a previous SolarMarker campaign that was discovered in October 2021 to direct users to websites where malicious PDFs with backdoors were dropped.
The eSentire’s TRU (Threat Response Unit) advise actions that businesses should take to reduce the effects of these attacks, such as educating staff about automatic browser updates and preventing them from downloading files from unreliable sources.
The recommendation also suggested better threat-landscape monitoring to strengthen the organization’s overall security posture and endpoint monitoring, which requires more frequent rule updates to catch the most recent campaigns.