Cybercriminals utilizing the SolarMarker.NET-based backdoor employ a method known as SEO poisoning to inject malicious payloads onto victims’ computers in order to get access to the credentials and data contained inside.
According to Menlo Security experts, the SolarMarker campaign is one of two in recent months that have used SEO poisoning to trick consumers and induce them to download the malicious payload into their computers. They are also the most recent examples of bad actors employing supply chain assaults and attempting to capitalize on an IT environment that is continuing to decentralize as organizations shift more workloads plus data to the cloud and more individuals work remotely.
The SolarMarker campaign is just another example of the expanding usage of the remote access Trojan (RAT), which has previously been tied to other breaches and has been shown to employ SEO poisoning methods.
“In addition to SolarMarker, the Menlo Labs team has seen a rise in attacks designed to target users, as opposed to organizations, bypassing traditional security measures,” the researchers wrote in a blog post this week. “These types of highly evasive attacks have been seen before, but the velocity, volume, and complexity of this new wave have increased in recent months.”
Devices are being compromised through the use of search results
Hackers are “exploiting the new world order in which the lines between business and personal device use are blurred,” they wrote. “In these attacks, threat actors turn advances in web browsers and browser capabilities to their advantage to deliver ransomware, steal credentials, and drop malware directly to their targets.”
In this example, bad actors are utilizing SEO poisoning to get access to SolarMarker, a.NET-based backdoor, and install malware on victims’ computers. Another effort known as Gootloader was discovered performing the same thing with the REvil ransomware.
The SolarMarker campaign employs the SEO poisoning technique, in which cybercriminals inject their malicious or compromised website with keywords that users may search for – in this case, subjects such as “industrial hygiene” or “sports mental toughness” – artificially increasing the ranking of their malicious pages and increasing the likelihood that clients will click on them.
Users who use such search phrases may come upon a hacked website that contains harmful PDFs in their search results. They see a malicious PDF on the website if they click on the SEO-tainted link. When the user clicks on the PDF or Doc icon on the same page, the malicious payload is downloaded onto the user’s endpoint. The stolen data is subsequently sent to a command-and-control server.
WordPress Sites Being Targeted by Bad Actors
The payloads themselves range in size from 70MB to around 123MB. Furthermore, all of the compromised sites – most of which were innocuous before being penetrated by attackers – that served the malicious PDFs discovered by Menlo were WordPress sites, including several educational and.gov sites. The PDFs’ directory location was produced using WordPress’ Formidable Forms plugin, which allows administrators to simply build a form.
According to the researchers, people who were impacted were alerted, and the malicious PDFs were removed.
Wordfence threat researchers recently discovered another WordPress plugin that was open to attack. The Wordfence Threat Intelligence team revealed in a blog post this week – Wordfence sells an endpoint firewall plus malware scanner meant to safeguard WordPress – that in late August they revealed a vulnerability termed CVE-2021-39333 in the Hashthemes Demo Importer plug-in for WordPress. The vulnerability “allowed any authenticated user to completely reset a site, permanently deleting nearly all database content as well as all uploaded media.”
A patched version of the plugin – 1.1.2 – became available in late September.
“The appeal of WordPress is its flexibility in purpose as well as its ease of use and setup,” Leo Pate, managing consultant at application security vendor nVisium, told eSecurity Planet. “However, just like any software, its developers and those that make WordPress components, such as plugins and templates, are bound to make mistakes. This leads to vulnerabilities being introduced in a user’s website. Because of this, it is important for users to look holistically at their WordPress environment and incorporate security at each component,” including the server, network, and application tiers.
Rick Holland, CISO and vice president of strategy at risk management firm Digital Shadows told eSecurity Planet that a vulnerability in components such as plugins “highlights the increased attack surface from third-party code in the same way that browser extensions do. Software companies are responsible for their code and the code that runs on top of their code. Destructive threat actors, hacktivists, or actors deleting sites for the ‘lulz’ would be most interested in this sort of vulnerability.”
The Increasing Profile of SolarMarket
For much of this year, security experts have been keeping an eye on the SolarMarker backdoor. SolarMarker was discovered in June by researchers at threat intelligence firm Cyware, who claimed that malicious actors were utilizing SEO poisoning tactics to get the malware onto computers. They stated that in April, SolarMarker-using attackers flooded search results with over 100,000 web pages offering free office forms such as resumes, invoices, receipts, and questionnaires.
Keyword-stuffing documents housed on Amazon Web Services (AWS) and Strikingly, a website builder, were used by bad actors. They stated that the SolarMarker creators were most likely Russian-speaking.
SolarMarker was also mentioned by Cisco Systems’ Talos team in July.
In a blog post earlier this month, eSentire, a managed detection, and response (MDR) company stated that its Threat Response Unit had noticed a five-fold spike in SolarMarker infections. Prior to September, the eSentire unit detected and eliminated one infection every week. Since then, the weekly average has been five. Around the same time, SolarMarker attackers shifted away from using Blogspot and Google sites, as well as content delivery networks, to store malicious files on WordPress.