SolarMarker malware is spreading by prompting victims to download malicious PDF documents and steals passwords and data, Microsoft warns.
The authors of SolarMarker have optimized documents with SEO keywords in order to surface in search engine results and infect more victims with the malware.
SolarMarker is a backdoor malware that steals sensitive data and credentials from web browsers, according to a report from Microsoft.
SEO poisoning is a known technique used to spread malware by tricking people into clicking on links that take them to a website that installs the malware.
“The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from “insurance form” and “acceptance of contract” to “how to join in SQL” and “math answers”,” said Microsoft Security Intelligence in a tweet.
Previously, Crowdstrike security company warned about the SolarMarker malware, saying it mainly targeted users in North America. The attackers used Google Sites to host malicious downloads and were also trying to get highly ranked in search results.
Microsoft researchers discovered that, in the recent round of attacks, the attackers were using Amazon Web Services and Strikingly’s services, in addition to Google Sites, to launch their attacks.
The attackers usually mimicked Google Drive for hosting and dropped SolarMarker / Jupyter malware to steal sensitive information from users.
“When opened, the PDFs prompt users to download a .doc file or a .pdf version of their desired info. Users who click the links are redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga,” Microsoft said. “After multiple redirections, users reach an attacker-controlled site, which imitates Google Drive, and are asked to download the file.”
The malware exfiltrates data to a command-and-control server. It also created shortcuts in the Startup folder to maintain persistence, Microsoft researchers said.