Pierluigi Paganini
June 14, 2021
Microsoft is monitoring a wave of cyber attacks that leverages SEO poisoning to deliver a remote access trojan (RAT) to steal sensitive data from the infected systems
Microsoft 365 Defender data shows that the SEO poisoning technique is effective, given that Microsoft Defender Antivirus has detected and blocked thousands of these PDF documents in numerous environments.
— Microsoft Threat Intelligence (@MsftSecIntel) June 11, 2021
The IT giant revealed that the SEO poisoning technique is effective, its Microsoft Defender Antivirus has thousands of PDF documents delivered as part of the ongoing campaign.
Upon opening the PDF files, users are prompted to download a .doc file or a .pdf version of their desired info. Once clicked the links, users will be redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga. The sites appear as a clone of Google Drive web pages used to serve the SolarMaker malware.
As intended, these PDF files or pages referencing them turn up in search results. When opened, the PDFs prompt users to download a .doc file or a .pdf version of their desired info. Users who click the links are redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga. pic.twitter.com/cBeTfteyGl
— Microsoft Threat Intelligence (@MsftSecIntel) June 11, 2021
Microsoft experts noticed that the PDF files are hosted on Amazon Web Services and Strikingly primarily.
The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from “insurance form” and “acceptance of contract” to “how to join in SQL” and “math answers”.
— Microsoft Threat Intelligence (@MsftSecIntel) June 11, 2021
The campaign is delivering a fileless .NET RAT dubbed SolarMarker (aka Jupyter, Polazert, and Yellow Cockatoo), a .NET RAT which is also used to deliver other malicious payloads on the infected devices.
SolarMarker implements backdoor capabilities and allows operators to steal credentials from web browsers, it gains persistence by adding itself to the Startup folder and modifying shortcuts on the victims’ desktop.
In April, security experts from eSentire discovered over 100,000 unique web pages that were containing popular business terms/particular keywords (i.e. template, invoice, receipt, questionnaire, and resume). These common business terms were used for SEO poisoning (black hat search-engine operation), to trick Google’s web crawler that the intended content meets conditions for a high PageRank score.
“Operators of the malware known as SolarMarker, Jupyter, other names are aiming to find new success using an old technique: SEO poisoning. They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware.” state Microsoft. “After multiple redirections, users reach an attacker-controlled site, which imitates Google Drive, and are asked to download the file, which is typically the SolarMarker/Jupyter malware, but we have also seen random files being downloaded, a detection/analysis evasion tactic.”
Microsoft recommends that organizations enable EDR in block mode to block the malware.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, seo poisoning)
[adrotate banner=”5″]
[adrotate banner=”13″]
