New malware using PDFs stuffed with popular keywords for SEO poisoning: SolarMarker virus steals data and credentials from browsers

SolarMarker Malware SEO poisoning PDF
Beware of “helpful” PDF files. Pic credit: portal gda/Flickr

A new malware has tweaked an old method of spreading but is using PDF documents to spread to thousands of unsuspecting PC users. The SolarMarker malware relies on the SEO poisoning technique to spread, and steal data and logins from web browsers.

There has been a sharp rise in a new malware, which cybersecurity agencies are calling SolarMarker. The malware is using simple but effective SEO techniques to boost search rankings.

New malware installs Remote Access Trojan (RAT) using SEO poisoned PDFs as bait:

Microsoft has been tracking a new RAT that uses old techniques to infect PCs across the world. The SolarMarker malware is also called Jupyter, Polazert, and Yellow Cockatoo. It is a .NET RAT that runs in memory of victims’ PCs.

The malware is using SEO Poisoning to boost its chances of infection. This is an old technique that piggybacks on search engine listings.

The attackers are using thousands of PDFs stuffed with SEO keywords. These seemingly harmless documents are full of links that reportedly redirect the victims through multiple sites towards one that installs the malware.

eSentire researchers observed SolarMaker creators were flooding search results with over 100,000 web pages. These laced PDF documents claimed to provide free office forms (e.g., invoices, questionnaires, receipts, and resumes).

The majority of these documents contained 10 or more pages that merely contained keywords on a wide range of topics. Needless to mention, these pages served to “game” the search engines and attempted to rank higher in search results.

What is the SolarMarker malware stealing from victims’ PCs?

Attackers are using the modified variant of the SolarMarker malware to drop other payloads on infected devices. While the original intention is to steal information, there could be other specific purposes as well, caution some experts.

The data that the malware manages to steal moves stealthily to a command-and-control server that the creators have set up. The malware has self-preservation techniques. It reportedly adds itself to the Startup folder and modifies shortcuts on the victims’ desktop.

An earlier iteration of the SolarMarker RAT malware was aimed at business professionals. The aim was to steal corporate information through compromised accounts and logins.

However, the new variant of the malware has a much broader scope. The primary and secondary objectives of the new campaign aren’t clear. Cybersecurity experts are still trying to figure out why the makers of the RAT suddenly changed gears and are going after the general public.

Some of the possible purposes could be “ransomware, credential theft, fraud, or as a foothold into the victim networks for espionage or exfiltration operations,” speculated eSentire’s Threat Response Unit (TRU).

The simplest method of avoiding such malware is to steer clear of any and all PDFs. Internet users must only accept and open PDF documents that are from trusted sources.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x