16 June 21, 12:59
Quote:The pushers behind the SolarMarker backdoor malware are flooding the web with PDFs stuffed with keywords and links that redirect to the password-stealing, credential-snarfing malware.
Microsoft Security Intelligence said in a Tweet on Friday that the SolarMarker (also known as Jupyter) makers are looking for new success by using an old technique: Search Engine Optimization (SEO) poisoning. They’re stuffing thousands of PDF documents with SEO keywords and links that start a chain of redirects that eventually leads to the malware.
The attackers have expanded their range, according to Microsoft Security Intelligence, whose researchers have seen them shift from originally using Google Sites to now primarily using Amazon Web Services (AWS) and the Strikingly free website builder service.
In April, when the threat actors were focused on Google Sites, eSentire’s Threat Response Unit (TRU) discovered legions of unique, malicious web pages containing popular business terms/particular keywords, including business-form related keywords like “template,” “invoice,” “receipt,” “questionnaire” and “resume,” researchers observed at the time.
The attackers were using search-engine optimization (SEO) tactics to lure business users to more than 100,000 malicious Google sites that looked legitimate. They were in fact pure poison: Those sites installed a remote access trojan (RAT) that planted a foothold on a network so as to later infect systems with ransomware, credential-stealers, banking trojans and other malware.
Read more: Malicious PDFs Flood the Web, Lead to Password-Snarfing | Threadpost