Microsoft is investigating a number of cyberattacks that use SEO poisoning to infect targets with a remote access trojan (RAT) capable of stealing sensitive information and backdooring victims’ systems.
SolarMarker (aka Jupyter, Polazert, and Yellow Cockatoo), a .NET RAT that runs in memory and is used by attackers to drop other payloads on affected devices, is the malware distributed in the SEO poisoning campaign.
SolarMarker’s masters can use it to gain access to compromised computers and steal passwords from web browsers.
The information it collects from infected computers is sent to a command-and-control server.
It will also gain persistence by altering shortcuts on the victims’ desktop and attaching itself to the Startup folder.
Threat actors behind SolarMaker flooded search results with over 100,000 web pages offering to supply free office forms, according to eSentire researchers in April (e.g., invoices, questionnaires, receipts, and resumes).
Instead, they’d set traps for business professionals looking for document templates, infecting them with the SolarMaker RAT via drive-by downloads and search redirection through Shopify and Google Sites.
The attackers have turned to keyword-stuffed documents stored on AWS and Strikingly in more recent attacks identified by Microsoft, and are now targeting additional sectors such as banking and education.
“They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware,” Microsoft said.
“The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from ‘insurance form’ and ‘acceptance of contract’ to ‘how to join in SQL’ and ‘math answers’.”
When victims open one of the maliciously designed PDFs, they are prompted to download another PDF or DOC document that contains the information they want.
Instead of getting access to the information, customers are led to a cloned Google Drive web page where they are served the final payload, the SolarMaker malware, via numerous websites utilising the .site,.tk, and.ga TLDs.
According to Morphisec, the SolarMaker creators are likely to be Russian-speaking threat actors due to misspellings in the Russian to English translation.
Many of the malware’s C2 servers, according to the Morphisec researchers, are based in Russia, albeit many are no longer operating.
“The TRU has not yet observed actions-on-objectives following a SolarMarker infection, but suspect any number of possibilities, including ransomware, credential theft, fraud, or as a foothold into the victim networks for espionage or exfiltration operations,” eSentire’s Threat Response Unit (TRU) added.
Also read: McDonald’s suffers data breach: Reports
You might also like: Microsoft warns of data stealing malware (StrRAT Fake-Ransomware RAT)
You might also like: EA data breach: hackers stole game source code
You might also like: Volkswagen suffers massive data breach: 3.3 million customers impacted
Original Source: BleepingComputer