Researchers have uncovered the cyberattack group behind the SolarMarker malware, which is targeting a global tax consulting firm with offices in the United States, Canada, the United Kingdom, and Europe. It is using fake Chrome browser updates as part of watering hole attacks. This is a fresh approach for the group, replacing its previous method of SEO poisoning, also known as spamdexing.
SolarMarker is a multistage malware that can steal autofill data, saved passwords, and credit card information from victims’ browsers. According to an advisory issued on Friday by eSentire’s Threat Response Unit (TRU), the threat group was observed exploiting vulnerabilities in a medical equipment manufacturer’s website, which was built with the popular open-source content management system WordPress. The victim worked for a tax consulting firm and used Google to look up the manufacturer’s name.
“This tricked the employee into downloading and executing SolarMarker, which was disguised as a Chrome update,” the advisory noted.
“The fake browser update overlay design is based on what browser the victim is utilizing while visiting the infected website,” the advisory added. “Besides Chrome, the user might also receive the fake Firefox or Edge update PHP page.”
Considering that the TRU team has only witnessed a single infection of this vector type, it is unclear whether the SolarMarker group is testing new tactics or preparing for a larger campaign. Previous SolarMarker attacks used SEO poisoning to target people who searched online for free templates of popular business documents and business forms.
Increase Employee Awareness by Monitoring Endpoints
The TRU advisory outlines four key steps organisations can take to mitigate the impact of these types of attacks, including increasing employee awareness of automatic browser updates and avoiding downloading files from unknown sites.
“Threat actors research the kind of documents businesses look for and try to get in front of them with SEO,” the advisory stated. “Only use trusted sources when downloading content from the internet, and avoid free and bundled software.”
Read the full article here