Some may remember Solarmarker which is a malware campaign that has been active since September 2020, and telemetry data points to malicious actions since April 2020. Which is a backdoor featuring a malware family known for its backdoor and data stealing capabilities, delivered primarily through search engine optimization (SEO) manipulation to convince users to download malicious documents and now a new version of this threat has been identified.
It is worth noting that SolarMarker has the ability to leak auto-fill data, saved passwords, and saved credit card information from victims’ web browsers. In addition to the typical information theft capabilities, SolarMarker has extras, such as file transfer and execution of commands received from a C2 server, as well as defense evasion-oriented techniques.
It should be noted that SolarMarker has several infection methods, the first method being achieved by creating Google Group discussions. In which attackers create multiple fake Google groups, each containing 500-600 fake conversation entries, targeting the most common search terms on a wide variety of topics with links that for obvious reasons you should not access.
In the following method, use the SEO in which you store in PDF files hosted on websites; search engines in which they directly linked to the PDF files and when the search engine link is clicked, the web browser opens the malicious PDFs as it would any other PDF document on the web.
And last but not least are WordPress sites compromised to deliver the content, but instead use HTML pages hosted on the compromised site. The HTML source of these malicious pages contains collections of links for other search terms, all connected to other malicious pages on the same compromised server.
Some time ago SolarMarker was more prevalent in Western countries, especially in the US, but you never know where these threats arrive, so taking some security measures would not be bad.
