Researchers have found the cyberattack group behind the SolarMarker malware concentrating on a world tax consulting group with a presence within the US, Canada, the UK, and Europe, which is utilizing pretend Chrome browser updates as a part of watering gap assaults.
It is a new strategy for the group, changing its earlier methodology of search engine marketing (web optimization) poisoning, also called spamdexing.
SolarMarker is multistage malware which might exfiltrate autofill knowledge, saved passwords, and saved bank card data from victims’ Internet browsers.
Preparation for a Wider Assault?
In keeping with an advisory printed by eSentire’s Risk Response Unit (TRU) on Friday, the menace group was seen exploiting weaknesses in a medical gear producer’s web site, which was constructed with the favored open supply content material administration system WordPress.
The sufferer was an worker of a tax consulting group and looked for the producer by title on Google.
“This tricked the worker into downloading and executing SolarMarker, which was disguised as a Chrome replace,” the advisory famous.
“The pretend browser replace overlay design relies on what browser the sufferer is using whereas visiting the contaminated web site,” the advisory added. “Apart from Chrome, the consumer may additionally obtain the pretend Firefox or Edge replace PHP web page.”
It’s unclear whether or not the SolarMarker group is testing new ways or making ready for a wider marketing campaign, on condition that the TRU workforce has solely noticed a single an infection of this vector sort — earlier SolarMarker assaults used web optimization poisoning to hit individuals who searched on-line without cost templates of well-liked enterprise paperwork and enterprise types.
Monitor Endpoints, Elevate Worker Consciousness
The TRU advisory outlines 4 key steps organizations can take to cut back the affect of those sorts of assaults, together with elevating worker consciousness relating to browser updates that happen mechanically, and avoiding downloading recordsdata from unknown websites.
“Risk actors analysis the form of paperwork companies search for and attempt to get in entrance of them with web optimization,” the advisory said. “Solely use trusted sources when downloading content material from the web, and keep away from free and bundled software program.”
The advisory additionally advisable extra vigilant endpoint monitoring, which TRU provides would require extra frequent rule updates to detect the most recent campaigns, in addition to enhanced threat-landscape monitoring to bolster the group’s general protection posture.
SolarMarker Campaigns Again After Dormant Interval
The .NET malware was first found in 2020 and is usually unfold by way of a PowerShell installer, with information-gathering capabilities and a backdoor.
In October 2021, Sophos Labs noticed various lively SolarMarker campaigns that adopted a typical sample: utilizing web optimization methods, the cybercriminals managed to position hyperlinks to web sites with Trojanized content material within the search outcomes of a number of serps.
A earlier SolarMarker marketing campaign reported by Menlo Safety in October 2021 used greater than 2,000 distinctive search phrases, luring customers to websites that then dropped malicious PDFs rigged with backdoors.
