SolarMarker is a Remote Access Trojan (RAT) that installs itself when a user clicks on a malicious file. The file executes a binary that in turn downloads the RAT to the victim’s machine. Furthermore, this threat relies on search engine redirection to attract users to the compromised site. Google users who search for business-related forms, such as invoices or questionnaires, are directed to malicious websites that host infected files.
Various verticals in different regions and countries around the world were addressed with the SolarMarker back door. The initial infection chain begins when the victim downloads a fake document installer from malicious websites. Various files are saved, decrypted and executed in the second stage. The third stage decrypts and executes the backdoor and establishes persistence by modifying the desktop shortcuts. Additional persistence is achieved in the fourth stage by creating a shortcut in the Windows startup folder. The final stage searches multiple browsers for credentials and extracts the stolen data to command and control servers.
Victims are currently being lured to hacker-controlled websites not to search for a free online version of a document hosted on Google Sites and to install a Remote Access Trojan (RAT) with a built-in download button. These attacks begin when victims search for questionnaires, invoices, and receipts. Once the RAT has been installed on the computer, threat actors can load additional malware such as a banking Trojan, ransomware, and credential stealers.
This threat installs automatically when the executable starts, along with a Slim PDF application, threat agents install Slim PDF to convince users of the legitimacy of the application, after SolarMarker is active, threat actors can send commands and upload additional files to the system.
Also check:
AHK, the new malicious RAT distribution campaign
Attacks suffered by USA that changed Cybersecurity
Asacub is a Trojan that targets Banks
