SolarMarker Attackers Use SEO Poisoning to Push Malicious Code

Cybercriminals leveraging the SolarMarker .NET-based backdoor are utilizing a way referred to as SEO poisoning to drive malicious payloads into victims’ methods to allow them to acquire entry to the credentials and information inside.
According to researchers at Menlo Security, the SolarMarker marketing campaign is one in every of two such efforts they’ve seen in current months utilizing SEO poisoning to deceive customers and get them to obtain the malicious payload into their methods. They’re additionally the most recent examples of unhealthy actors each utilizing provide chain forms of assaults and searching to benefit from an IT world that’s persevering with to decentralize as enterprises migrate extra workloads and information to the cloud and extra folks work remotely.
The SolarMarker marketing campaign is one other indication of the rising use of the distant entry Trojan (RAT), which has been linked to different breaches and beforehand has been seen to use SEO poisoning ways.
“In addition to SolarMarker, the Menlo Labs crew has seen an increase in assaults designed to goal customers, as opposed to organizations, bypassing conventional safety measures,” the researchers wrote in a weblog put up this week. “These forms of extremely evasive assaults have been seen earlier than, however the velocity, quantity, and complexity of this new wave has elevated in current months.”
Compromising Devices by Search Results
Hackers are “exploiting the brand new world order wherein the traces between enterprise and private system use are blurred,” they wrote. “In these assaults, risk actors flip advances in net browsers and browser capabilities to their benefit to ship ransomware, steal credentials, and drop malware straight to their targets.”
In this case, the unhealthy actors are utilizing SEO poisoning to leverage SolarMarker, a .NET-based backdoor, and get malware into victims’ methods. Another marketing campaign, which they name Gootloader, was noticed doing the identical with the REvil ransomware.
In the SolarMarker marketing campaign, the cybercriminals use the SEO poisoning method by injecting their malicious or compromised web site with key phrases that customers might seek for – on this case involving such topics as “industrial hygiene” or “sports activities psychological toughness” – which artificially will increase the rating of their malicious pages and makes it extra probably customers will click on on them.
Malicious SolarMarker downloads
Users utilizing these search phrases would possibly discover the compromised web site that features malicious PDFs of their search outcomes. If they click on on the SEO-poisoned hyperlink, they see a malicious PDF on the web page. Clicking on both the PDF or a Doc icon on the identical web page ultimately leads to the malicious payload being downloaded onto the consumer’s endpoint. Stolen information then is taken and despatched to a command-and-control server.
Also learn: Best Ransomware Removal and Recovery Services
Bad Actors Target WordPress Sites
The payloads themselves differ in sizes, from 70MB to about 123MB. In addition, all of the compromised websites – most had been benign earlier than being compromised by attackers – that served the malicious PDFs discovered by Menlo had been WordPress websites, together with some academic and .gov web sites. The listing location serving the PDFs was created by way of WordPress’ Formidable Forms plugin, which permits directors to simply create a kind.
The researchers wrote that these affected had been notified and the malicious PDFs taken down.
Another WordPress plugin lately was discovered by Wordfence risk researchers to be susceptible to assault. In a weblog put up this week, the Wordfence Threat Intelligence crew – Wordfence presents an endpoint firewall and malware scanner designed to shield WordPress – mentioned that in late August they disclosed a vulnerability dubbed CVE-2021-39333 within the Hashthemes Demo Importer plug-in to WordPress. The vulnerability “allowed any authenticated consumer to utterly reset a website, completely deleting almost all database content material in addition to all uploaded media.”
A patched model of the plugin – 1.1.2 – grew to become obtainable in late September.
“The enchantment of WordPress is its flexibility in function in addition to its ease of use and setup,” Leo Pate, managing advisor at utility safety vendor nVisium, instructed eSecurity Planet. “However, identical to any software program, its builders and people who make WordPress parts, corresponding to plugins and templates, are certain to make errors. This leads to vulnerabilities being launched in a consumer’s web sites. Because of this, it is vital for customers to look holistically at their WordPress surroundings and incorporate safety at every element,” together with the server, community and utility tiers.
Rick Holland, CISO and vice chairman of technique in danger safety agency Digital Shadows, instructed eSecurity Planet {that a} vulnerability in such parts as plugins “highlights the elevated assault floor from third-party code in the identical means that browser extensions do. Software corporations are chargeable for their code and the code that runs on high of their code. Destructive risk actors, hacktivists or actors deleting websites for the ‘lulz’ could be most on this type of vulnerability.”
See additionally: Top Vulnerability Management Tools for 2021
SolarMarket’s Growing Profile
The SolarMarker backdoor has been on the radar of safety researchers for a lot of this yr. Researchers at risk intelligence agency Cyware in June wrote about SolarMarker, saying unhealthy actors had been utilizing SEO poisoning methods to get the malware onto methods. They famous that in April, attackers utilizing SolarMarker had flooded search outcomes with greater than 100,000 net pages that supplied free workplace varieties, together with resumes, invoices, receipts and questionnaires.
Bad actors had been utilizing keyword-stuffing paperwork that had been hosted on Amazon Web Services (AWS) and Strikingly, an internet site builder. They mentioned the builders of SolarMarker had been probably Russian-speaking.
Cisco Systems’ Talos unit in July additionally wrote about SolarMarker.
eSentire, a managed detection and response (MDR) vendor, in a weblog put up earlier this month wrote that its Threat Response Unit had seen a five-fold improve in SolarMarker infections. Before September, the eSentire unit was detecting and shutting down an an infection per week. Since then, the common has been 5 every week. Around the identical time, SolarMarker attackers modified from counting on Blogspot and Google websites and content material supply networks to host malicious recordsdata on WordPress.
More Than a Million Malicious Pages
The eSentire researchers wrote that in current incidents, “nearly all of SolarMarker assaults being delivered from compromised WordPress websites – a way beforehand employed by Gootloader, a JavaScript-based an infection framework initially developed to ship the Gootkit banking trojan. Based on open supply analysis, it seems that this modification [to WordPress] has allowed the risk actors to drastically improve the variety of malicious webpages being hosted on-line.”
The variety of malicious pages from SolarMarker assaults jumped from greater than 100,000 to greater than 1 million. The unhealthy actors additionally use such methods as giant payload sizes, obfuscated payload modules and stolen certificates to evade detection by antivirus merchandise.
As distant work turns into extra commonplace, the browser is turning into a extra central device for staff, in accordance to the Menlo researchers. They pointed to a examine by Google that discovered finish customers spend a mean of 75 p.c of their workday in a browser and Menlo’s personal survey this month that confirmed that three-quarters of respondents mentioned hybrid and distant staff accessing purposes on unmanaged units is a major safety risk.
“While SolarMarker is a basic instance of a provide chain-style assault wherein attackers can benefit from susceptible websites to launch their malicious campaigns, additionally it is an instance of how attackers have rapidly discovered methods to exploit the elevated utilization of the browser, in addition to corporations pivoting to cloud-based purposes,” they wrote. “What makes one of these assault particularly harmful is the tactic used to provoke it. … [T]hese assaults have been particularly designed to goal the consumer straight by evading conventional strategies of detection.”
Further studying: Best Secure Web Gateway Vendors

Recommended For You