Search engine poisoning and stealthy persistence mechanisms can rear their ugly heads this year if defenders get complacent.
Last year, the SolarMarker malware attack campaigns used search engine optimization (SEO) poisoning as a novel delivery method.
Among unique techniques, the .NET malware, usually delivered by a PowerShell installer, inserts custom file handling rules for a randomly-created file extension and a .LNK Windows’ start up folder to create a stealthy persistence mechanism for its backdoor.
This approach has left a legacy of active backdoors that antimalware products are still detecting months after the last campaign ended due to malware site’s takedown. However, Because as this method of attack is far from extinct.
Commenting on the importance of staying vigilant this year, Sean Gallagher, Senior Threat Researcher, Sophos Labs, who has been researching SolarMarker, said the cyber threat landscape moves so fast that it can be tempting for defenders to focus on active or widely-used attack approaches, but SEO poisoning could be the Achilles’ heel in the end. “There are still some active campaigns that use SEO as a delivery method, including the SolarMarker campaigns we investigated, and these don’t get as much security attention right now. As a result, these SEO-based campaigns can slip under the radar of defenders until it is too late, and the payload has already been deployed. Employee education on the risks will help, but a strong defense-in-depth (approach) that catches malicious downloads that have slipped through the net is best.”
According Gallagher, his research of ProxyLogon vulnerabilities targeting Exchange servers indicates that defenders should always check whether attackers have left something behind in the network that they can return to later. “For ProxyLogon this was web shells; for SolarMarker this is a stealthy and persistent backdoor that according to Sophos telematics is still active months after the campaign ended.”