How 'SEO Poisoning' Is Used to Deploy MalwarePDF Documents Stuffed With SEO Keywords Lead to Malware Attacks
SolarMarker backdoor malware operators are using "SEO poisoning" techniques to deploy the remote access Trojan to steal sensitive information, Microsoft reports.
See Also: Threat Briefing: Ransomware
The operators are using thousands of PDF documents stuffed with SEO keywords and links that start a chain of redirections eventually leading to the malware, Microsoft explains via Twitter.
Operators of the malware known as SolarMarker, Jupyter, other names are aiming to find new success using an old technique: SEO poisoning. They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware.— Microsoft Security Intelligence (@MsftSecIntel) June 11, 2021
SEO poisoning is an illegitimate technique used to achieve a higher search engine ranking for websites in an effort to spread malware by prompting visitors to these highly ranked websites to download malicious files.
In April, cybersecurity firm eSentire found that hackers had flooded the web with 100,000 malicious pages that promised professionals free business forms but were actually delivering malware.
In SEO poisoning attacks, the PDF files, which turn up in search results, often lead a victim into downloading a .doc file or a .pdf version of their desired information. Victims who click on these links are redirected through five to seven sites with TLDs like .site, .tk, and .ga.
"The attack works by using PDF documents designed to rank on search results," Microsoft Security Intelligence wrote in its tweet about the latest efforts of the SolarMarker gang. "To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from 'insurance form' and 'acceptance of contract' to 'how to join in SQL' and 'math answers.'"
Multiple redirection leads a user to an attacker-controlled site that imitates Google Drive and then prompts the user to download a file that contains the SolarMarker malware. But Microsoft researchers also note that they have witnessed random files being downloaded in what appears to be a detection evasion tactic.
The backdoor malware, SolarMarker - also referred to as Yellow Cockatoo, Jupyter and Polazert - steals data and credentials from browsers. It sends stolen data to a command-and-control server and persists by creating shortcuts in the startup folder as well as modifying shortcuts on the desktop.
Once the RAT is downloaded, a copy of the legitimate Slim PDF reader application is also downloaded.
Microsoft researchers say the attackers likely install the PDF reader application in an effort to convince the victim of the legitimacy of the document they were seeking or as a distraction from the installation of the malware.
Once the RAT is successfully deployed on a victim machine, the attackers can send commands and upload additional malware, such as ransomware, a credential stealer or a banking Trojan, to the infected systems, according to the eSentire report.
During its earlier analysis, eSentire found that the attackers used Google Sites to host malicious documents. But Microsoft researchers recently observed that attackers shifted to using the hosting services Amazon Web Services and Strikingly, and they notified both services.
SEO Poisoning Widespread
Microsoft says that the SEO poisoning technique is widespread, reporting that Microsoft Defender Antivirus has detected and blocked thousands of the hackers' PDF documents in numerous environments.
Researchers at eSentire recommend that organizations - even those using antivirus software - enable EDR in block mode so known malware is stopped.
Spence Hutchinson, manager of threat intelligence for eSentire, says that the infection process relies on exploiting the user, not an application.
"The user simply executes a binary disguised as a PDF to infect the machine. This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code," he says. "Unfortunately, it reveals a glaring blind spot in controls which allow users to execute untrusted binaries or script files at will."