Cybercriminals leveraging the SolarMarker .NET-based backdoor are using a technique called SEO poisoning to drive malicious payloads into victims’ systems so they can gain access to the credentials and data within.
According to researchers at Menlo Security, the SolarMarker campaign is one of two such efforts they’ve seen in recent months using SEO poisoning to deceive users and get them to download the malicious payload into their systems. They’re also the latest examples of bad actors both using supply chain types of attacks and looking to take advantage of an IT world that is continuing to decentralize as enterprises migrate more workloads and data to the cloud and more people work remotely.
The SolarMarker campaign is another indication of the growing use of the remote access Trojan (RAT), which has been linked to other breaches and previously has been seen to use SEO poisoning tactics.
“In addition to SolarMarker, the Menlo Labs team has seen a rise in attacks designed to target users, as opposed to organizations, bypassing traditional security measures,” the researchers wrote in a blog post this week. “These types of highly evasive attacks have been seen before, but the velocity, volume, and complexity of this new wave has increased in recent months.”
Compromising Devices through Search Results
Hackers are “exploiting the new world order in which the lines between business and personal device use are blurred,” they wrote. “In these attacks, threat actors turn advances in web browsers and browser capabilities to their advantage to deliver ransomware, steal credentials, and drop malware directly to their targets.”
In this case, the bad actors are using SEO poisoning to leverage SolarMarker, a .NET-based backdoor, and get malware into victims’ systems. Another campaign, which they call Gootloader, was observed doing the same with the REvil ransomware.
In the SolarMarker campaign, the cybercriminals use the SEO poisoning technique by injecting their malicious or compromised website with keywords that users may search for – in this case involving such subjects as “industrial hygiene” or “sports mental toughness” – which artificially increases the ranking of their malicious pages and makes it more likely users will click on them.
Users using those search terms might find the compromised website that includes malicious PDFs in their search results. If they click on the SEO-poisoned link, they see a malicious PDF on the page. Clicking on either the PDF or a Doc icon on the same page eventually leads to the malicious payload being downloaded onto the user’s endpoint. Stolen data then is taken and sent to a command-and-control server.
Bad Actors Target WordPress Sites
The payloads themselves vary in sizes, from 70MB to about 123MB. In addition, all the compromised sites – most were benign before being compromised by attackers – that served the malicious PDFs found by Menlo were WordPress sites, including some educational and .gov websites. The directory location serving the PDFs was created via WordPress’ Formidable Forms plugin, which enables administrators to easily create a form.
The researchers wrote that those affected were notified and the malicious PDFs taken down.
Another WordPress plugin recently was found by Wordfence threat researchers to be vulnerable to attack. In a blog post this week, the Wordfence Threat Intelligence team – Wordfence offers an endpoint firewall and malware scanner designed to protect WordPress – said that in late August they disclosed a vulnerability dubbed CVE-2021-39333 in the Hashthemes Demo Importer plug-in to WordPress. The vulnerability “allowed any authenticated user to completely reset a site, permanently deleting nearly all database content as well as all uploaded media.”
A patched version of the plugin – 1.1.2 – became available in late September.
“The appeal of WordPress is its flexibility in purpose as well as its ease of use and setup,” Leo Pate, managing consultant at application security vendor nVisium, told eSecurity Planet. “However, just like any software, its developers and those that make WordPress components, such as plugins and templates, are bound to make mistakes. This leads to vulnerabilities being introduced in a user’s websites. Because of this, it is important for users to look holistically at their WordPress environment and incorporate security at each component,” including the server, network and application tiers.
Rick Holland, CISO and vice president of strategy at risk protection firm Digital Shadows, told eSecurity Planet that a vulnerability in such components as plugins “highlights the increased attack surface from third-party code in the same way that browser extensions do. Software companies are responsible for their code and the code that runs on top of their code. Destructive threat actors, hacktivists or actors deleting sites for the ‘lulz’ would be most interested in this sort of vulnerability.”
SolarMarket’s Growing Profile
The SolarMarker backdoor has been on the radar of security researchers for much of this year. Researchers at threat intelligence firm Cyware in June wrote about SolarMarker, saying bad actors were using SEO poisoning techniques to get the malware onto systems. They noted that in April, attackers using SolarMarker had flooded search results with more than 100,000 web pages that offered free office forms, including resumes, invoices, receipts and questionnaires.
Bad actors had been using keyword-stuffing documents that were hosted on Amazon Web Services (AWS) and Strikingly, a website builder. They said the developers of SolarMarker were likely Russian-speaking.
Cisco Systems’ Talos unit in July also wrote about SolarMarker.
eSentire, a managed detection and response (MDR) vendor, in a blog post earlier this month wrote that its Threat Response Unit had seen a five-fold increase in SolarMarker infections. Before September, the eSentire unit was detecting and shutting down an infection per week. Since then, the average has been five a week. Around the same time, SolarMarker attackers changed from relying on Blogspot and Google sites and content delivery networks to host malicious files on WordPress.
More Than a Million Malicious Pages
The number of malicious pages from SolarMarker attacks jumped from more than 100,000 to more than 1 million. The bad actors also use such techniques as large payload sizes, obfuscated payload modules and stolen certificates to evade detection by antivirus products.
As remote work becomes more commonplace, the browser is becoming a more central tool for workers, according to the Menlo researchers. They pointed to a study by Google that found end users spend an average of 75 percent of their workday in a browser and Menlo’s own survey this month that showed that three-quarters of respondents said hybrid and remote workers accessing applications on unmanaged devices is a significant security threat.
“While SolarMarker is a classic example of a supply chain-style attack in which attackers can take advantage of vulnerable sites to launch their malicious campaigns, it is also an example of how attackers have quickly found ways to exploit the increased usage of the browser, as well as companies pivoting to cloud-based applications,” they wrote. “What makes this type of attack especially dangerous is the method used to initiate it. … [T]hese attacks have been specifically designed to target the user directly by evading traditional methods of detection.”
Further reading: Best Secure Web Gateway Vendors