Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Like your friend on a road trip or that new Love Boat reboot, an info-stealing malware has gone in a different and concerning direction.
According to a report from the cyberthreat-detection provider eSentire, the malicious code known as “SolarMarker” has headed to WordPress, disguising itself as a Chrome browser update.
Though not a new attack, the “watering hole” method manipulates well-known sites that end-users may trust—and legitimate Windows processes that detection tools may trust.
“They’re effective because individuals don’t suspect them really. By leveraging reputable websites, we don’t see these attacks coming,” said Jonathan Broche, director of penetration testing at MorganFranklin Consulting’s cybersecurity practice.
What is a watering-hole attack?
- Thirsty threat actors compromise a page that a certain group of users frequently visits—then a popular site becomes, in effect, a popular malware deliverer, maybe without a site owner even knowing.
- As early as 2013, hackers redirected US Department of Labor site visitors to the Poison Ivy Trojan. Other high-profile instances of watering holes include a compromise of CCleaner software in 2017, a 2019 “Holy Water” attack that hit charity websites, and a targeting of Hong Kong-based sites in 2021.
- The malware is frequently a remote access trojan (RAT), enabling the attacker to gain control of a target’s system.
What went pwn. The victim, according to the eSentire report, was an employee of a tax-consulting organization. The end-user, after searching for a medical-equipment manufacturer, landed on a WordPress site that served up a prompt to update Chrome.
The message tricked the user into downloading SolarMarker.
SolarMarker employs the legitimate scripting language PowerShell. PowerShell’s .NET assembly functions load and execute the malicious backdoor. The use of a trusted Windows process means the code is difficult to detect, according to an email by Keegan Keplinger, research and reporting lead at eSentire.
“What malware authors do is they will cook up these kinds of document files; they’re not executables. They’re more scripts, and they’ll kick off a Windows process that can read and interpret those scripts. And then they avoid dropping any kind of executable to the disk, and then there’s nothing for antivirus to detect,” Keplinger told IT Brew.
Some advice. Recommendations from the eSentire team include raising employee awareness of the threat, monitoring endpoint behavior (like watching for scripting languages that spawn off of Office documents), and only using trusted sources when downloading content from the internet.
In an email response to questions from IT Brew, Reyes Martinez, marketing and communications contributor to Wordpress, referred to best practices and plugin-management tips hosted on the site, as well as recommendations to always update Wordpress to the latest version.
“Besides continual code testing by thousands of WordPress contributors, ‘bug bounty’ programs encourage the wider WordPress community to hunt for security vulnerabilities,” said Martinez via email.—BH
Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.