Researchers have discovered the cyberattack group behind the SolarMarker malware targeting a global tax consulting organization with a presence in the US, Canada, the UK, and Europe, which is using fake Chrome browser updates as part of watering hole attacks.
It's a new approach for the group, replacing its previous method of search engine optimization (SEO) poisoning, also known as spamdexing.
SolarMarker is multistage malware which can exfiltrate autofill data, saved passwords, and saved credit card information from victims' Web browsers.
Preparation for a Wider Attack?
According to an advisory published by eSentire's Threat Response Unit (TRU) on Friday, the threat group was seen exploiting weaknesses in a medical equipment manufacturer's website, which was built with the popular open source content management system WordPress.
The victim was an employee of a tax consulting organization and searched for the manufacturer by name on Google.
"This tricked the employee into downloading and executing SolarMarker, which was disguised as a Chrome update," the advisory noted.
"The fake browser update overlay design is based on what browser the victim is utilizing while visiting the infected website," the advisory added. "Besides Chrome, the user might also receive the fake Firefox or Edge update PHP page."
It is unclear whether the SolarMarker group is testing new tactics or preparing for a wider campaign, given that the TRU team has only observed a single infection of this vector type — previous SolarMarker attacks used SEO poisoning to hit people who searched online for free templates of popular business documents and business forms.
Monitor Endpoints, Raise Employee Awareness
The TRU advisory outlines four key steps organizations can take to reduce the impact of these kinds of attacks, including raising employee awareness regarding browser updates that occur automatically, and avoiding downloading files from unknown sites.
"Threat actors research the kind of documents businesses look for and try to get in front of them with SEO," the advisory stated. "Only use trusted sources when downloading content from the internet, and avoid free and bundled software."
The advisory also recommended more vigilant endpoint monitoring, which TRU adds will require more frequent rule updates to detect the latest campaigns, as well as enhanced threat-landscape monitoring to bolster the organization's overall defense posture.
SolarMarker Campaigns Back After Dormant Period
The .NET malware was first discovered in 2020 and is typically spread via a PowerShell installer, with information-gathering capabilities and a backdoor.
In October 2021, Sophos Labs observed a number of active SolarMarker campaigns that followed a common pattern: using SEO techniques, the cybercriminals managed to place links to websites with Trojanized content in the search results of several search engines.
A previous SolarMarker campaign reported by Menlo Security in October 2021 used more than 2,000 unique search terms, luring users to sites that then dropped malicious PDFs rigged with backdoors.