Cybercriminals using search engine optimization (SEO) techniques target users searching for business form templates and direct them to Google-hosted domains. Hackers control over 100,000 malicious Google sites that look legitimate but instead infect with remote access trojans (RATs).
RATs can allow attackers to gain access to a network and later infect systems with ransomware, banking trojans, credential-stealers, and more.
In a report published Wednesday, eSentire’s Threat Response Unit (TRU), a security firm that first discovered malicious web pages distributing infected business forms, said threat actors use SEO keywords like a template, invoice, receipt, questionnaire, and resume to target victims through search engines. Threat actors use SEO strategy to increase the likelihood that victims will visit the infected sites.
Then they use Google search redirection and drive-by-download tactics to drop on the victim’s computers a RAT, tracked by eSentire as SolarMarker. It is also known as Jupyter, Yellow Cockatoo, and Polazert.
Upon visiting a fake website and opening a PDF doc, the victim unknowingly executes a binary, thus infecting their machine.
“This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code,” researchers noted the security holes in modern browsers. “Unfortunately, it reveals a glaring blind spot in controls, which allows users to execute untrusted binaries or script files at will.”
The threat group behind SolarMarker is primarily targeting business professionals, especially persons working in the financial industry.
Researchers describe an incident when a victim from the financial industry searched for a free template and was redirected via Google Search to an infected Google sites page that showed a download button delivering a RAT.
“Once a RAT has been installed on a victim’s computer, the threat actors can upload additional malware to the device, such as a banking trojan, which could be used to hijack the online banking credentials of the organization,” they said. Threat actors also could install a credential-stealer, and more malware.
Researchers warned that, over the last months of 2020, besides PDF, attackers used other files, including docx2rtf.exe, photodesigner7_x86-64.exe, Expert_PDF.ex, and docx2rtf.exe.