SolarMarker attackers use SEO poisoning to push malicious code

Cyber ​​criminals who exploit the SolarMarker .NET-based backdoor use a technique called SEO poisoning to introduce malicious payloads into victims’ systems so that they can gain access to credentials and the data they contain.

According to Menlo Security researchers, the SolarMarker campaign is one of two such efforts that they have seen in recent months using SEO poisoning to trick users into downloading the malicious payload into their systems. These are also the latest examples of bad actors using both supply chain attack types and seeking to take advantage of an IT world that continues to decentralize as businesses migrate more workloads and data to the cloud and more and more people are working remotely.

The SolarMarker campaign is another indication of the growing use of the Remote Access Trojan (RAT), which has been linked to other breaches and which has previously used SEO poisoning tactics.

“In addition to SolarMarker, the Menlo Labs team has seen an increase in attacks designed to target users, as opposed to organizations, bypassing traditional security measures,” the researchers wrote in a blog post this week. “These types of very evasive attacks have been seen before, but the speed, volume and complexity of this new wave have increased in recent months.”

Compromise devices through search results

Hackers “are exploiting the new world order in which the lines between the use of business and personal devices are blurred,” they wrote. “In these attacks, threat actors leverage advancements in web browsers and browser capabilities to deliver ransomware, steal credentials, and drop malware directly on their targets. “

In this case, bad actors are using SEO poisoning to take advantage of SolarMarker, a .NET-based backdoor, and introduce malware into victims’ systems. Another campaign, which they call Gootloader, has been observed to do the same with the REvil ransomware.

In the SolarMarker campaign, cybercriminals use the SEO poisoning technique by injecting their malicious or compromised website with keywords that users can search for – in this case involving topics such as “industrial hygiene” or ” mental strength of sport ‘- which artificially increases the ranking. of their malicious pages and increases the likelihood that users will click on them.

SolarMarker malicious downloads

Users using these search terms may find the compromised website that includes malicious PDF files in their search results. If they click on the SEO poisoned link, they see a malicious PDF on the page. By clicking on the PDF or Doc icon on the same page, the malicious payload is eventually downloaded to the user’s endpoint. The stolen data is then recovered and sent to a command and control server.

Also Read: Best Ransomware Removal and Recovery Services

Bad actors target WordPress sites

The payloads themselves vary in size, from 70MB to around 123MB. Additionally, all of the compromised sites – most of them benign before being compromised by attackers – that served the malicious PDFs found by Menlo were WordPress sites, including some educational and .gov websites. The location of the directory serving PDFs was created via WordPress’ Formidable Forms plugin, which allows admins to easily create a form.

The researchers wrote that those affected were notified and the malicious PDF files deleted.

Wordfence threat researchers recently discovered that another WordPress plugin is vulnerable to attacks. In a blog post this week, the Wordfence Threat Intelligence team – Wordfence offers a firewall and malware scanner designed to protect WordPress – said that at the end of August it disclosed a vulnerability called CVE-2021-39333 in the Hashthemes Demo Importer plugin for WordPress. The vulnerability “allowed any authenticated user to completely reset a site, permanently deleting almost all database content as well as all downloaded media.”

A corrected version of the plugin – 1.1.2 – became available at the end of September.

“The appeal of WordPress is its flexibility as well as its ease of use and configuration,” said Leo Pate, management consultant at application security vendor nVisium. ESecurity planet. “However, like any software, its developers and those who make WordPress components, such as plugins and templates, are bound to make mistakes. This leads to the introduction of vulnerabilities in a user’s websites. For this reason, it is important that users take a holistic look at their WordPress environment and build security into every component, ”including the server, network, and application levels.

Rick Holland, CISO and vice president of risk strategy protection firm Digital Shadows, told eSecurity Planet that a vulnerability in components such as plugins “highlights the increased attack surface of the code. third party in the same way as browser extensions. Software publishers are responsible for their code and the code that runs on their code. Actors of the destructive threat, hacktivists or actors deleting sites for “lulz” would be the most interested in this type of vulnerability. “

See also: Main vulnerability management tools for 2021

Growing Profile of SolarMarket

The SolarMarker backdoor has been on the radar of security researchers for much of this year. Researchers from threat intelligence firm Cyware wrote in June about SolarMarker, claiming bad actors were using SEO poisoning techniques to introduce malware into systems. They noted that in April, attackers using SolarMarker flooded the search results with more than 100,000 web pages offering free office forms, including resumes, invoices, receipts and questionnaires.

The bad actors were using documents with keywords hosted on Amazon Web Services (AWS) and Strikingly, a website builder. They said the developers of SolarMarker were probably Russian speaking.

Cisco Systems’ Talos unit in July also wrote about SolarMarker.

eSentire, a Managed Detection and Response (MDR) provider, wrote in a blog post earlier this month that its Threat Response Unit had quintupled the number of SolarMarker infections. Before September, the eSentire unit detected and stopped one infection per week. Since then, the average has been five a week. Around the same time, SolarMarker attackers no longer relied on Blogspot and Google sites and content delivery networks to host malicious files on WordPress.

Over a million malicious pages

ESentire researchers wrote that in recent incidents, “the majority of SolarMarker attacks have come from compromised WordPress sites – a technique previously used by Gootloader, a JavaScript-based infection framework originally developed to provide the horse Gootkit Banking Trojan. Based on open source research, it appears that this change [to WordPress] enabled threat actors to dramatically increase the number of malicious web pages hosted online.

The number of malicious pages from SolarMarker attacks has increased from over 100,000 to over one million. Malicious actors also use techniques such as large payload sizes, obfuscated payload modules, and stolen certificates to evade detection by anti-virus products.

As remote working becomes more common, the browser becomes a more central tool for workers, according to Menlo researchers. They pointed to a Google study that found end users spend an average of 75% of their workday in a browser and Menlo’s own survey this month which showed that three-quarters of those polled said that hybrid and remote workers accessing applications on unmanaged devices is a security threat.

“While SolarMarker is a classic example of a supply chain attack in which attackers can take advantage of vulnerable sites to launch their malicious campaigns, it is also an example of how attackers quickly found ways to harness the increased use of the browser, as well as businesses that turn to cloud-based applications, ”they wrote. “What makes this type of attack particularly dangerous is the method used to initiate it. … [T]These attacks were specifically designed to directly target the user by avoiding traditional methods of detection.

Further Reading: Best Secure Web Gateway Providers

Comments are closed.