Malicious PDFs Flood the Web, Lead to Password-Snarfing

SolarMarker makers are using SEO poisoning, stuffing thousands of PDFs with tens of thousands of pages full of SEO keywords & links to redirect to the malware.

The pushers behind the SolarMarker backdoor malware are flooding the web with PDFs stuffed with keywords and links that redirect to the password-stealing, credential-snarfing malware.

Microsoft Security Intelligence said in a Tweet on Friday that the SolarMarker (also known as Jupyter) makers are looking for new success by using an old technique: Search Engine Optimization (SEO) poisoning. They’re stuffing thousands of PDF documents with SEO keywords and links that start a chain of redirects that eventually leads to the malware.

The attackers have expanded their range, according to Microsoft Security Intelligence, whose researchers have seen them shift from originally using Google Sites to now primarily using Amazon Web Services (AWS) and the Strikingly free website builder service.

In April, when the threat actors were focused on Google Sites, eSentire’s Threat Response Unit (TRU) discovered legions of unique, malicious web pages containing popular business terms/particular keywords, including business-form related keywords like “template,” “invoice,” “receipt,” “questionnaire” and “resume,” researchers observed at the time.

The attackers were using search-engine optimization (SEO) tactics to lure business users to more than 100,000 malicious Google sites that looked legitimate. They were in fact pure poison: Those sites installed a remote access trojan (RAT) that planted a foothold on a network so as to later infect systems with ransomware, credential-stealers, banking trojans and other malware.

The current attack works in similar fashion, using PDF documents designed to come in near the top of search results. To get up there, the attackers crammed the documents full, with more than 10,000 pages of keywords on a range of topics, from “insurance form” and “acceptance of contract” to “how to join in SQL” and “math answers”.

The PDF files or pages referencing them turned up high in search results, as intended. When opened, the PDFs prompt users to download a .doc file or a .pdf version of the document they think they should be getting. Victims who click on the links are redirected through between five to seven sites with top-level domains (TLDs) including .site, .tk, and .ga, Microsoft said.

Rigged PDF and another file gussied up to look like an official document. Source: Microsoft

After they’ve been led through the redirect maze, users are funneled into a site that imitates Google Drive. Then, they’re prompted to download the file, which researchers said is typically the SolarMarker malware. They’ve also seen random files being proffered for download as “a detection/analysis evasion tactic,” they said.

The SolarMarker backdoor malware gobbles data and credentials from browsers. Then, it sends the stolen data to a command-and-control (C2) server. It manages to persist by creating shortcuts in the Startup folder and by modifying desktop shortcuts.

A Rash of SEO Poisoning

SEO poisoning, also known as search poisoning, has been around for a while. It entails the creation of boobytrapped websites and the use of SEO tactics to place those sites at or near the top of search results. The researchers said that Microsoft 365 Defender data show that this particular flavor of SEO poisoning – as in, packing the PDFs full of common, oft-used keywords and links to their rigged sites – is working quite well for the SolarMarker attackers. “Microsoft Defender Antivirus has detected and blocked thousands of these PDF documents in numerous environments,” they said in a Tweet stream.

Blocking the Bursting-With-Bad PDFs

Microsoft recommends that organizations that aren’t using Microsoft Defender Antivirus, Microsoft Defender for Endpoint to alert for the malicious files and behaviors can enable endpoint detection and response (EDR) in block mode to stop unknown malware in the security product they’re using. The researchers also offered this link for advanced hunting queries that security teams can use to locate “similar or related activity” in their environments:

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.

Suggested articles


  • Alvera J Millsaps on

    We, as a country, (I'm referring to my country here, the U.S.,) should perhaps put stronger penalties in place for illegal cyberspace activities. We could start with the internet companies policies which they are expected to have but then have no authority to enforce when those (legal) policies are broken. Maybe a lawsuit by Microsoft, Google, Apple or any other internet company could set precedence for how serious those crimes can be. In summary, if you want to play big, be prepared for losing big also.
    • DAMON on

      Just like gun control?
  • Ryan on

    Do you not realize that the judicial system can put people who commit cyber crimes away for multiple lifetimes if the prosecutors and judges decide to? The issue isn't that the penalties aren't strict enough. The problem is that it's expensive and labor intensive to track down the bad actors and even when you do, they're probably in a country that isn't going to expedite criminals to the US anyway. Also the US can't even get rid of scam callers pretending to be the IRS or the police. Do you think going after computer programmers is going to be easier for us? Lol
  • Dingus on

    Stronger penalties would do nothing because most of not all of these bad actors are in countries that turn a blind eye and do not have extradition treaties.
  • Christin Delashmit on

    IM A VICTIM OF THIS EXACT DESCIPTION MY PHONE ,MY TVS,ANY WIFI CAPABLE DEVICE US INVADED AND USING GOOGLE AND Amazon to hijack my accounts ...also using S21 capabilities against me ..ive tried with Att but can't protect me won't split an account and keeps the hack going
  • Todd on

    Most of those organizing these scams are not in the US. Hence the US has no jurisdiction in the places they live and where thy are running the scam from.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.