Researchers have discovered the cyber attack group behind the SolarMarker malware targeting a global tax consulting organization with a presence in the US, Canada, the UK and Europe, using fake Chrome browser updates as part of ‘water attacks.
It’s a new approach for the group, replacing their previous method of search engine optimization (SEO) poisoning, also known as spamming.
SolarMarker is multi-stage malware that can exfiltrate autofill data, saved passwords, and saved credit card information from victims’ web browsers.
Preparing for a wider attack?
Seconds an advice published by eSentire’s Threat Response Unit (TRU) on Friday, the threat group was seen exploiting weaknesses in a medical equipment manufacturer’s website, which was built using the popular content management system open source WordPress.
The victim was an employee of a tax consulting organization and searched for the manufacturer by name on Google.
“This tricked the employee into downloading and running SolarMarker, which was disguised as a Chrome update,” the warning noted.
“The design of the fake browser update overlay is based on which browser the victim is using while visiting the infected website,” the warning added. “In addition to Chrome, the user may also receive the fake Firefox or Edge update PHP page.”
It is unclear whether the SolarMarker group is testing new tactics or preparing for a broader campaign, given that the TRU team has only observed a single infection of this type of vector: previous SolarMarker attacks used the SEO poisoning to hit people who were searching online for free templates of popular business documents and business forms.
Monitor endpoints, educate employees
TRU’s advisory outlines four key steps organizations can take to reduce the impact of these types of attacks, including making employees aware of browser updates that occur automatically and avoiding downloading files from unknown sites .
“Threat actors research the types of documents businesses are looking for and try to put them in front with SEO,” the advisory stated. “Use only trusted sources when downloading content from the Internet and avoid free and bundled software.”
The advisory also recommended more vigilant monitoring of endpoints, which TRU adds will require more frequent rule updates to detect the latest campaigns, as well as improved monitoring of the threat landscape to strengthen the overall defense posture of organization
SolarMarker is running campaigns again after a period of inactivity
The .NET malware was first discovered in 2020 and is typically distributed via a PowerShell installer, with information-gathering capabilities and a backdoor.
In October 2021, Sophos Labs observed a number of active SolarMarker campaigns that followed a common pattern: using SEO techniques, cybercriminals managed to place links to websites with trojanized content in the search results of various search engines. search
A previous SolarMarker campaign reported by Menlo Security in October 2021 used more than 2,000 unique search terms, luring users to sites that then dropped malicious PDFs equipped with backdoors.
[ad_2]
Source link
