Attackers behind the malware known as SolarMarker are using PDF documents filled with search engine optimization (SEO) keywords to boost their visibility on search engines in order to lead potential victims to malware on a malicious site that poses as Google Drive.
According to Microsoft, SolarMarker is a backdoor malware that steals data and credentials from browsers.
SEO poisoning is an old-school technique that uses search engines to spread malware. In this case, the attackers are using thousands of PDFs filled with keywords and links that redirect the unwary across multiple sites towards one that installs the malware.
“The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from “insurance form” and “acceptance of contract” to “how to join in SQL” and “math answers”,” said Microsoft Security Intelligence in a tweet.
Crowdstrike raised an alarm about SolarMarker in February for using the same SEO poisoning tactics. The malware predominantly targeted users in North America.
The attackers were hosting pages on Google Sites as lures for the malicious downloads. The sites were promoting document downloads and were often highly ranked in search results, again to boost search ranking.
Microsoft researchers found the attackers have started using Amazon Web Services (AWS) and Strikingly’s service as well as Google Sites.
“When opened, the PDFs prompt users to download a .doc file or a .pdf version of their desired info. Users who click the links are redirected through 5 to 7 sites with TLDs like .site, .tk, and .ga,” Microsoft said.
“After multiple redirections, users reach an attacker-controlled site, which imitates Google Drive, and are asked to download the file.”
This typically leads to the SolarMarker/Jupyter malware, but Microsoft has also seen random files being downloaded as part of an apparent method to dodge detection, it added.
It exfiltrates stolen data to a command-and-control server and persists by creating shortcuts in the Startup folder as well as modifying shortcuts on the desktop.
“Microsoft 365 Defender data shows that the SEO poisoning technique is effective, given that Microsoft Defender Antivirus has detected and blocked thousands of these PDF documents in numerous environments,” Microsoft said.