Andrew Windsor and Chris Neal, researchers with Cisco Talos, have seen new activity from Solarmarker, a .NET-based information stealer and keylogger that they called “highly modular.” The researchers explained that the Solarmarker campaign is being conducted by “fairly sophisticated” actors focusing their energy on credential and residual information theft. Like the targeted language component of the keylogger, other clues indicate that the cyber-attacker has an interest in European organizations or cannot afford to process text in any languages other than Russian, German and English. “Regardless, they are not particular or overly careful as to which victims are infected with their malware. During this recent surge in the campaign, Talos observed the health care, education, and municipal governments verticals being targeted the most often,” the report said. The report added that Microsoft researchers believe the Solarmarker campaign is using SEO poisoning in order to make their dropper files highly visible in search engine results, potentially skewing “what types of organizations are likely to come across the malicious files depending on what is topically popular at the time.”
Analyst Notes
SEO poisoning is a method of making malicious content more likely to appear high in search engine results. Always remain aware that the top results from search engines are not necessarily the most legitimate. Malware distributors have used this in the past to promote compromised legitimate websites hosting their malicious content, so even if the website itself seems legitimate, be careful about running binaries that you download and don’t enable macros in Excel or Word documents.
https://www.zdnet.com/article/cisco-researchers-spotlight-solarmarker-malware
