SEO poisoning campaign aims at delivering RAT, Microsoft warns

Microsoft spotted a series of attacks that use SEO poisoning to deliver a remote access trojan (RAT) used by threat actors to steal sensitive data.

Microsoft is monitoring a wave of cyber attacks that leverages SEO poisoning to deliver a remote access trojan (RAT) to steal sensitive data from the infected systems

The IT giant revealed that the SEO poisoning technique is effective, its Microsoft Defender Antivirus has thousands of PDF documents delivered as part of the ongoing campaign.

Upon opening the PDF files, users are prompted to download a .doc file or a .pdf version of their desired info. Once clicked the links, users will be redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga. The sites appear as a clone of Google Drive web pages used to serve the SolarMaker malware.

Microsoft experts noticed that the PDF files are hosted on Amazon Web Services and Strikingly primarily.

The campaign is delivering a fileless .NET RAT dubbed SolarMarker (aka Jupyter, Polazert, and Yellow Cockatoo), a .NET RAT which is also used to deliver other malicious payloads on the infected devices.

SolarMarker implements backdoor capabilities and allows operators to steal credentials from web browsers, it gains persistence by adding itself to the Startup folder and modifying shortcuts on the victims’ desktop.

In April, security experts from eSentire discovered over 100,000 unique web pages that were containing popular business terms/particular keywords (i.e. template, invoice, receipt, questionnaire, and resume). These common business terms were used for SEO poisoning (black hat search-engine operation), to trick Google’s web crawler that the intended content meets conditions for a high PageRank score.

“Operators of the malware known as SolarMarker, Jupyter, other names are aiming to find new success using an old technique: SEO poisoning. They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware.” state Microsoft. “After multiple redirections, users reach an attacker-controlled site, which imitates Google Drive, and are asked to download the file, which is typically the SolarMarker/Jupyter malware, but we have also seen random files being downloaded, a detection/analysis evasion tactic.”

Microsoft recommends that organizations enable EDR in block mode to block the malware.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, seo poisoning)

[adrotate banner=”5″]

[adrotate banner=”13″]