The malware, known as SolarMarker, uses PDF documents filled with browser optimization (SEO) keywords.
Source: B92, PC Press, Zdnet
Photo: Profimedia / Soeren Stache / dpa-Zentralbild / ZB
Thus, the attackers behind these attacks improve their visibility on browsers, in order to direct potential victims to malware on a malicious site impersonating Google Drive. According to Microsoft, SolarMarker is a back-end malware that steals data and credentials from browsers. SEO poisoning is an age-old tactic that uses browsers to spread malware. In this case, the attackers use thousands of PDF files filled with keywords and links, which redirect the careless user from multiple sites to a site that installs malware.
The attack works using PDF documents that are designed to rank in search results. To achieve this, the attackers filled out these documents with more than 10 pages of keywords on a wide range of topics, from “insurance model” and “contract acceptance” to mathematical answers, Microsoft Security Intelligence said in a tweet. The malware primarily targets users in North America. The attackers hosted pages on Google sites as bait for malicious downloads. Sites promote document downloads and often rank highly in search results.
Microsoft researchers found that attackers began using Amazon Web Services (AWS) and Strikingly, as well as Google Sites. Upon opening, PDFs encourage users to download a .doc file or a .pdf version of the required information. Microsoft said that users who click on the link are redirected through 5 to 7 sites with TLDs, such as .site, .tk and .ga. After multiple redirects, users come to an attacker-controlled site that simulates Google Drive, and ask them to download a file. This usually leads to the SolarMarker/Jupiter malware, which transfers the stolen data to the command and control server and continues to create shortcuts in the startup directory, as well as modifying the shortcuts on the desktop. Microsoft said Microsoft 365 Defender data shows that the SEO poisoning technique is effective, given that Microsoft Defender Antivirus has detected and blocked thousands of such PDF documents in a number of environments.