Solarmarker Malware Uses Novel Techniques to Persist on Hacked Systems


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
In a sign that threat actors continuously shift tactics and update their defensive measures, the operators of the SolarMarker information stealer and backdoor have been found leveraging stealthy tricks to establish long-term persistence on compromised systems.

Cybersecurity firm Sophos, which spotted the new behavior, said that the remote access implants are still being detected on targeted networks despite the campaign witnessing a decline in November 2021.
The SolarMarker modus operandi commences with redirecting victims to decoy sites that drop the MSI installer payloads, which, while executing seemingly legitimate install programs such as Adobe Acrobat Pro DC, Wondershare PDFelement or Nitro Pro, also launches a PowerShell script to deploy the malware.

"These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted," Sophos researchers Gabor Szappanos and Sean Gallagher said in a report shared with The Hacker News.


Level 29
Top poster
Feb 25, 2017
Here is a more detailed article by Sophos: SolarMarker campaign used novel registry changes to establish persistence

Explanation of @Andy Ful how Simple Windows Hardening can mitigate this attack: Q&A - Simple Windows Hardening

The blocking of often abused TLDs is also a pretty effective way of preventing one of the methods used by the threat actors:


In each of the three SEO baiting methods discussed above, the download links all connect to sites with the .site top-level domain (TLD). In the recent campaigns we have seen about 100 .site domains used. Typically the URLs referring to this site look like this:
The numeric parameter at the end original URL (/3 in this example) is irrelevant. Any number can be put in its place, and the returned content will be similar: a dynamically-created HTML redirect code using a domain selected at random from a large pool of second-stage redirector sites (in the case below, chargraman[.]ml). Each time the link is requested, a different next-stage domain is provided.
<meta http-equiv="refresh" content="0;URL=hxxps://chargraman[.]ml/22b0270b0a7e4dd147bc74ec3b799366/Clinical-Correlation-Recommended-After-Stress-Test/650845767/pdf">
While the example above uses the .ml TLD, the majority of the second-stage redirects in these campaigns used the .tk TLD. In the recent campaigns we have seen about 3000 domains used, of which more than 2000 were .tk domains (with the remainder relatively evenly spread across the .ga, .ml, .cf and .gq TLDs).
The second-stage redirect URLS contain the search term used as bait, and return an HTTP response code 302 to redirect to the final destination server.
The downloads all point to pdfdocdownloadspanel[.]site, which hosted phishing content since at least 2019. The site has been shut down, so we were unable to retrieve a live version of the target page, but from telemetry from known cases we know that the next part of the infection chain is the download of an MSI installer carrying a decoy PDF viewer. So there should be a misleading link in between offering the installer based on telemetry associated with the malware.
Source: SolarMarker campaign used novel registry changes to establish persistence

NextDNS and Malwarebytes Browser Extension for example have the ability to block many uncommon and often abused TLDs:

Screenshot 2022-02-01 185132.png
Last edited: