A new malware has tweaked an old method of spreading but is using PDF documents to spread to thousands of unsuspecting PC users. The SolarMarker malware relies on the SEO poisoning technique to spread, and steal data and logins from web browsers.
There has been a sharp rise in a new malware, which cybersecurity agencies are calling SolarMarker. The malware is using simple but effective SEO techniques to boost search rankings.
New malware installs Remote Access Trojan (RAT) using SEO poisoned PDFs as bait:
Microsoft has been tracking a new RAT that uses old techniques to infect PCs across the world. The SolarMarker malware is also called Jupyter, Polazert, and Yellow Cockatoo. It is a .NET RAT that runs in memory of victims’ PCs.
The malware is using SEO Poisoning to boost its chances of infection. This is an old technique that piggybacks on search engine listings.
The malware delivered in this campaign is SolarMarker (aka Jupyter, Polazert, and Yellow Cockatoo), a .NET RAT that runs in memory and is used by attackers to drop other payloads on infected devices.
— Red Siege Information Security (@RedSiege) June 14, 2021
The attackers are using thousands of PDFs stuffed with SEO keywords. These seemingly harmless documents are full of links that reportedly redirect the victims through multiple sites towards one that installs the malware.
The team behind the SolarMarker malware have been loading it into PDFs and using web search to trick people into downloading them. https://t.co/TaAIRU58Fk
— The Mac Observer (@MacObserver) June 14, 2021
eSentire researchers observed SolarMaker creators were flooding search results with over 100,000 web pages. These laced PDF documents claimed to provide free office forms (e.g., invoices, questionnaires, receipts, and resumes).
The majority of these documents contained 10 or more pages that merely contained keywords on a wide range of topics. Needless to mention, these pages served to “game” the search engines and attempted to rank higher in search results.
What is the SolarMarker malware stealing from victims’ PCs?
Attackers are using the modified variant of the SolarMarker malware to drop other payloads on infected devices. While the original intention is to steal information, there could be other specific purposes as well, caution some experts.
The data that the malware manages to steal moves stealthily to a command-and-control server that the creators have set up. The malware has self-preservation techniques. It reportedly adds itself to the Startup folder and modifies shortcuts on the victims’ desktop.
An earlier iteration of the SolarMarker RAT malware was aimed at business professionals. The aim was to steal corporate information through compromised accounts and logins.
After multiple redirections, users reach an attacker-controlled site, which imitates Google Drive, and are asked to download the file, which is typically the SolarMarker/Jupyter malware, but we have also seen random files being downloaded, a detection/analysis evasion tactic. pic.twitter.com/oxIXoRQwQp
— Microsoft Security Intelligence (@MsftSecIntel) June 11, 2021
However, the new variant of the malware has a much broader scope. The primary and secondary objectives of the new campaign aren’t clear. Cybersecurity experts are still trying to figure out why the makers of the RAT suddenly changed gears and are going after the general public.
Some of the possible purposes could be “ransomware, credential theft, fraud, or as a foothold into the victim networks for espionage or exfiltration operations,” speculated eSentire’s Threat Response Unit (TRU).
The simplest method of avoiding such malware is to steer clear of any and all PDFs. Internet users must only accept and open PDF documents that are from trusted sources.