From malicious email attachments to weaponized PDFs, cybercriminals leverage various traps to target unwitting victims. At times, threat actors rely on old hacking techniques like backdoor payloads to compromise targeted systems and pilfer sensitive data.
Recently, security experts from Microsoft unveiled a series of attacks that used SEO Poisoning to infect systems with a remote access trojan (RAT) and steal sensitive data. The threat actors distributed SolarMarker malware (also known as Jupyter, Polazert, and Yellow Cockatoo) in this campaign. SolarMarker is a .NET RAT that runs in a system’s memory and is used by hackers to deploy additional payloads on infected devices. It’s a backdoor malware that steals user data and credentials from web browsers and exfiltrates the stolen data to C2 servers.
What is SEO Poisoning?
Also known as search poisoning, SEO poisoning is an old attacking strategy in which threat actors create malicious websites and use different SEO techniques to make them appear on top in search results. In SEO poisoning, attackers use tactics like keyword stuffing, PDF documents, hidden text, and cloaking to manipulate the search rankings and redirect the victims to unwanted applications, phishing sites, malware links, and adware.
How Does a SolarMarker Attack Work?
Threat actors used thousands of PDF documents stuffed as SEO keywords and links that redirected users to a malicious site. “The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with ten pages of keywords on a wide range of topics. As intended, these PDF files or pages referencing them turn up in search results. When opened, the PDFs prompt users to download a .doc file or a .pdf version of their desired info. Users who click the links are redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga,” Microsoft said.
Attackers used catchy business terms like insurance form, acceptance of contract, how to join in SQL, and math answers to lure professionals.
As intended, these PDF files or pages referencing them turn up in search results. When opened, the PDFs prompt users to download a .doc file or a .pdf version of their desired info. Users who click the links are redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga. pic.twitter.com/cBeTfteyGl
— Microsoft Security Intelligence (@MsftSecIntel) June 11, 2021
Over 100K Malicious Webpages Found
Attackers commonly hide RAT into these forms to redirect the users to the fraudulent websites that host the malware. They leverage the malicious document templates to infiltrate into victims’ devices.
Earlier, cybersecurity solutions provider eSentire reported that threat actors leveraged Google Sites to host malicious documents. Attackers targeted business professionals to lure them into hacker-controlled websites, hosted on Google Sites, inadvertently installing RATs. eSentire discovered over 100,000 unique web pages that contained popular business terms as keywords such as template, invoice, receipt, questionnaire, and resume.
“Once the target lands on a site controlled by the hacker, the page shows download buttons for the document template they were searching. When clicked, the business professional is redirected (unknowingly) to a malicious website which serves up an executable disguised as a PDF document or a Word document,” eSentire said.