SolarMarker shifts from SEO poisoning to watering hole attacks

SolarMarker SEO Poisoning Watering Hole Cyberattacks

A new SolarMarker campaign had been spotted in the wild, with its operators targeting a global tax consulting firm through watering hole attacks. Researchers stated that the new attack approach of the group replaces their old method of SEO poisoning or spamdexing.

The latest campaign of SolarMarker operators involved them exploiting vulnerabilities inside the website of a medical equipment manufacturer built from the WordPress CMS. The targeted victim in the campaign was a staff of a tax consulting firm, which was lured and tricked by the attackers to download and launch SolarMarker malware into their computer under the guise of a Google Chrome update.


Experts explained that the fake browser update overlay design would reflect which browser the victim is utilising, a tactic heavily seen for watering hole attacks.


Suppose the victim uses Firefox or Microsoft Edge as their web browser at the time of the attack. In that case, the threat actors’ fake browser overlay design will be altered to a fake Firefox or MS Edge browser update to trick the victim into downloading the malware-infected file regardless of the victim’s current browser.

It is still unknown whether this identified activity of SolarMarker involving watering hole attacks indicates a wider campaign from them to be expected soon. Nevertheless, experts have released advisories to organisations and individuals to lessen the attack impact of such attacks.

The experts said that it is important for firms to raise their employees’ awareness about threats surrounding downloading suspicious files they find online, including fake browser updates that could lead to malware infection. Thus, users must only gather online content from trusted sources and avoid free or bundled software deals that look as if it is too good to be true.

The SolarMarker malware is a payload that, once injected into a computer, would steal web browsers’ autofill data, saved passwords, and saved financial or banking credentials. Built through the [.]NET framework, SolarMarker first emerged in 2020 and is usually spread via a PowerShell installer, which can effectively steal data from its victims.

Before being spotted using watering hole attacks, the SolarMarker operators first leveraged SEO poisoning techniques in most of their campaigns.

About the author

Leave a Reply