SEO poisoning used to backdoor targets with malware

Microsoft is investigating a number of cyberattacks that use SEO poisoning to infect targets with a remote access trojan (RAT) capable of stealing sensitive information and backdooring victims’ systems.


SolarMarker (aka Jupyter, Polazert, and Yellow Cockatoo), a .NET RAT that runs in memory and is used by attackers to drop other payloads on affected devices, is the malware distributed in the SEO poisoning campaign.




SolarMarker’s masters can use it to gain access to compromised computers and steal passwords from web browsers.


The information it collects from infected computers is sent to a command-and-control server.


It will also gain persistence by altering shortcuts on the victims’ desktop and attaching itself to the Startup folder.


Threat actors behind SolarMaker flooded search results with over 100,000 web pages offering to supply free office forms, according to eSentire researchers in April (e.g., invoices, questionnaires, receipts, and resumes).


Instead, they’d set traps for business professionals looking for document templates, infecting them with the SolarMaker RAT via drive-by downloads and search redirection through Shopify and Google Sites.


The attackers have turned to keyword-stuffed documents stored on AWS and Strikingly in more recent attacks identified by Microsoft, and are now targeting additional sectors such as banking and education.



Backdoor, Info Stealer, Information Stealer, Malware, Remote Access Trojan, SEO, SEO Poisoning, Security, InfoSec, Computer Security, RAT, antivirus, Computer Security, computers, cyber news, cyber security news, cyber security news today, cyber security updates, cyber updates, cyberattack, cyberattacks, cybercrime, cybercriminals, cybersafe news, cybersecurity, cybersecurity news now, cybersecurity news today, dark web, data breach, Data leak, data stealing malware, DDoS, Distributed Denial of Service, Email, email security, Excel, exploit, hacker news, Hacks, Infected Installer, information security, InfoSec, infosec news, latest cybernews today, latest cybersecurity news today, linux, Mac, Malicious email campaign, Malvertising, Malware, malware app, malware removal, mining bots, Mobile Security, network security, online security, personal data exposed, Phishing, Privacy, python bot, ransomware, ransomware attack, ransomware attacks 2021, ransomware gang, ransomware group, ransomware malware, ransomware news, RCE, recent ransomware attacks, Remote Access Trojan, Remote Code Execution, remote desktop app, remote desktop app virus, remote desktop malware, REvil, rootkit, Security, security flaw, smartphone, software vulnerability, Spam, spyware, Supply Chain, tech, tech news, tech support, tech updates, technical support, Technology, trojan, virus, virus removal, Vulnerabilities, Vulnerability, Web Security, Computer Security news, Cyberattack news,
Source: Microsoft



“They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware,” Microsoft said.


“The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from ‘insurance form’ and ‘acceptance of contract’ to ‘how to join in SQL’ and ‘math answers’.”



When victims open one of the maliciously designed PDFs, they are prompted to download another PDF or DOC document that contains the information they want.


Instead of getting access to the information, customers are led to a cloned Google Drive web page where they are served the final payload, the SolarMaker malware, via numerous websites utilising the .site,.tk, TLDs.


According to Morphisec, the SolarMaker creators are likely to be Russian-speaking threat actors due to misspellings in the Russian to English translation.


Many of the malware’s C2 servers, according to the Morphisec researchers, are based in Russia, albeit many are no longer operating.


“The TRU has not yet observed actions-on-objectives following a SolarMarker infection, but suspect any number of possibilities, including ransomware, credential theft, fraud, or as a foothold into the victim networks for espionage or exfiltration operations,” eSentire’s Threat Response Unit (TRU) added.



Also read: McDonald’s suffers data breach: Reports


You might also like: Microsoft warns of data stealing malware (StrRAT Fake-Ransomware RAT)


You might also like: EA data breach: hackers stole game source code


You might also like: Volkswagen suffers massive data breach: 3.3 million customers impacted





Original Source: BleepingComputer