Cybersecurity researchers found threat actors using search engines to lure business professionals into installing a Remote Access Trojan (RAT) inadvertently.
According to an analysis from eSentire, threats actors are targeting users who are in search of business PDF forms like invoices, templates, receipts, document templates, and questionnaires. Attackers are reportedly hiding RAT into these forms to redirect the users to the fraudulent websites that host the malware. Hackers are leveraging the malicious document templates to infiltrate into victims’ devices.
“Once the RAT is on the victim’s computer and activated, the threat actors can send commands and upload additional malware to the infected system, such as ransomware, a credential stealer, a banking Trojan, or simply use the RAT as a foothold into the victim’s network,” eSentire said.
Spreading Malicious PDFs
eSentire researchers found that whenever the user downloads a form, it simultaneously installs the SolarMarker RAT (also known as Yellow Cockatoo, Jupyter, and Polazert). Once SolarMarker is active, cybercriminals send commands and upload additional malware payloads to the infected system. The researchers suspect that SolarMarker is capable of carrying out a wide range of attacks including ransomware, credential theft, fraud, or cyber espionage operations.
eSentire discovered over 100,000 web pages deployed by threat actors via Google Sites. These unique web pages contain popular business terms/particular keywords like a template, invoice, receipt, questionnaire, and resume. “In a precursory search, 70,000 unique web pages included the mention of either template or invoice. These common business terms serve as keywords for the threat actors’ search optimization strategy, convincing Google’s web crawler that the intended content meets conditions for a high PageRank score,” eSentire added.
Other Findings on SolarMarker
- The threat actors have created tens of hundreds of web pages with popular business terms, such as invoice, statement, receipt, questionnaire, so that when a business professional is searching the Internet for a specific business template, there is a chance that the top search results will include one of their malicious pages.
- The infection process relies on exploiting the user, not an application. The user simply executes a binary disguised as a PDF to infect the machine. This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code. Unfortunately, it reveals a glaring blind spot in controls that allow users to execute untrusted binaries or script files at will.
- The SolarMarker campaign utilizes a variety of decoy applications. Most recently, TRU observed that the Slim PDF reader software was a decoy being downloaded onto the victim’s computer. This serves as a distraction, as well as an additional element to help convince the victim that they are downloading a pdf.
“Security leaders and their teams need to know that the threat group behind SolarMarker has gone to a lot of effort to compromise business professionals, spreading a wide net, and using many tactics to successfully disguise their traps. Another troubling aspect of this campaign is that the SolarMarker group has populated many of their malicious web pages with keywords relating to financial documents, e.g., statements, receipts, invoices, etc.,” said Spence Hutchinson, Manager of Threat Intelligence for eSentire.