Malicious PDFs Flood the Web, Lead to Password-Snarfing

SolarMarker makers are using SEO poisoning, stuffing thousands of PDFs with tens of thousands of pages full of SEO keywords & links to redirect to the malware.

The pushers behind the SolarMarker backdoor malware are flooding the web with PDFs stuffed with keywords and links that redirect to the password-stealing, credential-snarfing malware.

Microsoft Security Intelligence said in a Tweet on Friday that the SolarMarker (also known as Jupyter) makers are looking for new success by using an old technique: Search Engine Optimization (SEO) poisoning. They’re stuffing thousands of PDF documents with SEO keywords and links that start a chain of redirects that eventually leads to the malware.

The attackers have expanded their range, according to Microsoft Security Intelligence, whose researchers have seen them shift from originally using Google Sites to now primarily using Amazon Web Services (AWS) and the Strikingly free website builder service.

In April, when the threat actors were focused on Google Sites, eSentire’s Threat Response Unit (TRU) discovered legions of unique, malicious web pages containing popular business terms/particular keywords, including business-form related keywords like “template,” “invoice,” “receipt,” “questionnaire” and “resume,” researchers observed at the time.

The attackers were using search-engine optimization (SEO) tactics to lure business users to more than 100,000 malicious Google sites that looked legitimate. They were in fact pure poison: Those sites installed a remote access trojan (RAT) that planted a foothold on a network so as to later infect systems with ransomware, credential-stealers, banking trojans and other malware.

The current attack works in similar fashion, using PDF documents designed to come in near the top of search results. To get up there, the attackers crammed the documents full, with more than 10,000 pages of keywords on a range of topics, from “insurance form” and “acceptance of contract” to “how to join in SQL” and “math answers”.

The PDF files or pages referencing them turned up high in search results, as intended. When opened, the PDFs prompt users to download a .doc file or a .pdf version of the document they think they should be getting. Victims who click on the links are redirected through between five to seven sites with top-level domains (TLDs) including .site, .tk, and .ga, Microsoft said.

Rigged PDF and another file gussied up to look like an official document. Source: Microsoft

After they’ve been led through the redirect maze, users are funneled into a site that imitates Google Drive. Then, they’re prompted to download the file, which researchers said is typically the SolarMarker malware. They’ve also seen random files being proffered for download as “a detection/analysis evasion tactic,” they said.

The SolarMarker backdoor malware gobbles data and credentials from browsers. Then, it sends the stolen data to a command-and-control (C2) server. It manages to persist by creating shortcuts in the Startup folder and by modifying desktop shortcuts.

A Rash of SEO Poisoning

SEO poisoning, also known as search poisoning, has been around for a while. It entails the creation of boobytrapped websites and the use of SEO tactics to place those sites at or near the top of search results. The researchers said that Microsoft 365 Defender data show that this particular flavor of SEO poisoning – as in, packing the PDFs full of common, oft-used keywords and links to their rigged sites – is working quite well for the SolarMarker attackers. “Microsoft Defender Antivirus has detected and blocked thousands of these PDF documents in numerous environments,” they said in a Tweet stream.

Blocking the Bursting-With-Bad PDFs

Microsoft recommends that organizations that aren’t using Microsoft Defender Antivirus, Microsoft Defender for Endpoint to alert for the malicious files and behaviors can enable endpoint detection and response (EDR) in block mode to stop unknown malware in the security product they’re using. The researchers also offered this link for advanced hunting queries that security teams can use to locate “similar or related activity” in their environments:

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.

Suggested articles