Skip to content

SolarMarker backdoor targets job seekers via fake Indeed site

  • by
  • 3 min read

Cybercriminals imitate Indeed, a global job-searching and hiring platform, to deploy SolarMarker’s backdoor, targeting job seekers worldwide. This complex attack begins with a drive-by download and swiftly escalates, deploying multiple malicious components to compromise the system and exfiltrate data.

The SolarMarker infection event began in April 2024, when a user searching for workplace team-building ideas on Bing was redirected to a malicious site impersonating the global employment website Indeed. This deceptive site lured the user into downloading what appeared to be a legitimate document.

However, this document was a trojan horse, initiating the download of the SolarMarker payload.

This incident highlights a notable tactic employed by the attackers: Search Engine Optimisation poisoning. By manipulating search engine results, the attackers boosted the visibility of their malicious links, increasing the likelihood of successful infections. This underscores the critical need for users to exercise caution when clicking on search engine results, even if they appear legitimate.

“The attackers’ use of SEO tactics to direct users to malicious sites underscores the importance of being cautious about clicking on search engine results, even if they appear legitimate,” researchers cautioned.

The malicious website. | Source: eSentire

Researchers discovered that the SolarMarker campaign differed significantly from the previous ones, and the trojan has evolved. Previously, the malware embedded its backdoor directly in the code. Recently, however, it has shifted to embedding the backdoor in the resource section of the file, encrypted with the AES encryption algorithm.

Upon executing the initial payload, a fake error message is displayed, masking the malicious activity.

The backdoor connects to Command and Control (C2) servers at IP addresses 2.58.15[.]118 and 146.70.80[.]83. Once the connection is established, the attackers deploy additional malicious components, StellarInjector and SolarPhantom.

The StellarInjector payload injects SolarPhantom into the SearchIndexer.exe process. SolarPhantom has info-stealing and hidden virtual network computing (hVNC) capabilities. It stages the stolen browsing data within a folder in the %TEMP% directory, which is named using a 10-digit value. The filename generation algorithm is intricate, involving the user’s browser profile path and the location of the Firefox executable.

Embedded SolarMarker malware. | Source: eSentire

Researchers also discovered that SolarMarker uses legitimate certificates for the initial payload to complicate detection:

  • Ameri Mode Inc. (Issuer: DigiCert)

The use of legitimate certification indicates a high level of sophistication, allowing attackers to bypass traditional security measures.

Upon identifying the SolarMarker infection, researchers isolated the host to prevent the malware from spreading further. They also notified the customer and provided remediation support.

Recently, cyber crooks from Pakistan targeted Indian government entities via a malicious website. Also, scammers are targeting the Paris Summer Olympics 2024 with several phishing websites.

In the News: Pixel 8 users get 3-year extended support for display issues

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: