SEO poisoning campaign aims at delivering RAT, Microsoft warns

Microsoft spotted a series of attacks that use SEO poisoning to deliver a remote access trojan (RAT) used by threat actors to steal sensitive data.

Microsoft is monitoring a wave of cyber attacks that leverages SEO poisoning to deliver a remote access trojan (RAT) to steal sensitive data from the infected systems

The IT giant revealed that the SEO poisoning technique is effective, its Microsoft Defender Antivirus has thousands of PDF documents delivered as part of the ongoing campaign.

Upon opening the PDF files, users are prompted to download a .doc file or a .pdf version of their desired info. Once clicked the links, users will be redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga. The sites appear as a clone of Google Drive web pages used to serve the SolarMaker malware.

Microsoft experts noticed that the PDF files are hosted on Amazon Web Services and Strikingly primarily.

The campaign is delivering a fileless .NET RAT dubbed SolarMarker (aka Jupyter, Polazert, and Yellow Cockatoo), a .NET RAT which is also used to deliver other malicious payloads on the infected devices.

SolarMarker implements backdoor capabilities and allows operators to steal credentials from web browsers, it gains persistence by adding itself to the Startup folder and modifying shortcuts on the victims’ desktop.

In April, security experts from eSentire discovered over 100,000 unique web pages that were containing popular business terms/particular keywords (i.e. template, invoice, receipt, questionnaire, and resume). These common business terms were used for SEO poisoning (black hat search-engine operation), to trick Google’s web crawler that the intended content meets conditions for a high PageRank score.

“Operators of the malware known as SolarMarker, Jupyter, other names are aiming to find new success using an old technique: SEO poisoning. They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware.” state Microsoft. “After multiple redirections, users reach an attacker-controlled site, which imitates Google Drive, and are asked to download the file, which is typically the SolarMarker/Jupyter malware, but we have also seen random files being downloaded, a detection/analysis evasion tactic.”

Microsoft recommends that organizations enable EDR in block mode to block the malware.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, seo poisoning)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.