A series of attacks have been observed using SEO poisoning to infect targets with a Remote Access Trojan (RAT). The malware is identified as SolarMarker and capable of stealing sensitive information with backdooring systems. It is a .NET RAT that runs in memory and drops other payloads on compromised devices.
What has happened?
According to Microsoft, SolarMarker is a malicious threat developed to backdoor compromised systems and steals credentials from infected web browsers. The stolen data is then exfiltrated to the C2 server.
After infection, SolarMaker gains persistence by adding itself to the Startup folder and making changes to shortcuts on the victims' desktop.
In April, SolarMaker attackers observed flooding search results with over 100,000 web pages offering free office forms (resumes, invoices, receipts, and questionnaires).
These office forms act as traps for business professionals searching for document templates and infect them with the RAT via drive-by downloads and search redirection via Google/Shopify sites.
Based on the translation misspelling of Russian to English, it is suspected that the SolarMaker developers are Russian-speaking actors.
In recent attacks, the attackers have been using keyword-stuffed documents hosted on Strikingly and AWS. Moreover, they are now targeting other sectors, such as finance and education.
Abusing AWS and Strikingly
The attackers are using thousands of PDF documents stuffed with SEO keywords and links that execute a chain of redirections leading to malware. The attack uses PDF documents created to rank on search results.
To achieve this, attackers filled these documents with more than 10 pages of keywords on multiple topics, from ‘insurance for’ and ‘how to join in SQL’ and ‘math answers’ to ‘acceptance of a contract.’
Once a victim finds one of the maliciously crafted PDFs and clicks on it, they are urged to download another DOC or PDF document laden with the information they are looking for.
The objective of attackers behind SolarMaker RAT infection is not yet clear. However, there are a number of goals attackers want to achieve such as credential theft, fraud, or gaining a foothold into targeted networks for espionage or data exfiltration. Therefore, security professionals need to keep a strict eye on this evolving threat.