Microsoft is pursuing a number of attacks that use SEO poisoning to infect targets with a Remote Access Trojan (RAT), which is capable of stealing victims’ confidential information and opening their systems through backdoors.
The malware deployed in this campaign is SolarMarker (also known as Jupyter, Polazert, and Yellow Cockatoo), a .NET RAT that runs in memory and is used by attackers to drop other payloads on infected devices.
SolarMarker is designed to give its masters a back door to compromised systems and to steal credentials from web browsers.
The data that it can collect from infected systems is exfiltrated onto the command and control server. It also gains persistence by adding itself to the Startup folder and changing shortcuts on the victim’s desktop.
In April, eSentire researchers observed that threat actors behind SolarMaker flooded search results with over 100,000 web pages claiming to provide free Office forms (such as invoices, questionnaires, receipts, and résumés).
However, they would instead act as traps for business people looking for document templates, infecting them with the SolarMaker RAT using drive-by downloads and search redirection through Shopify and Google Sites.
Switches to Abuse of AWS and Strikingly
In more recent attacks discovered by Microsoft, the attackers have switched to keyword-filled documents hosted on AWS and Strikingly and are now targeting other sectors, including finance and education.
“They are using thousands of PDF documents filled with SEO keywords and links that start a chain of redirects that eventually lead to malware,” Microsoft said.
“The attack works by using PDF documents that are supposed to rank in search results. To do this, attackers populated these documents with more than 10 pages of keywords on a variety of topics, from ‘Insurance Form’ and ‘Contract Acceptance’ to ‘How to Join SQL’ and ‘Math Answers’. “
Once the victims find and open one of the maliciously crafted PDFs, they will be prompted to download another PDF or DOC document with the information they are looking for.
Instead of gaining access to the information, they are redirected through multiple websites with .site, .tk, and .ga TLDs to a cloned Google Drive website, where they are served the final payload, the SolarMaker malware.
According to Morphisec, SolarMaker developers are considered Russian-speaking threat actors due to misspellings from Russian to English.
The Morphisec researchers also found that many of the malware’s C2 servers are located in Russia, although many were no longer active.
“The TRU has not yet observed any targeted actions following a SolarMarker infection, but suspects a number of possibilities including ransomware, credential theft, fraud, or as entry into victim networks for espionage or exfiltration operations,” eSentire’s Threat Response Unit (TRU) added.