Rewterz Threat Alert – Microsoft Alerts on SEO Poisoning Campaign – Active IOCs

Severity

Medium

Analysis Summary

Microsoft observed a large number of attacks that use SEO poisoning Campaigns to deliver Remote Access Trojans (RAT) to steal confidential data. SEO poisoning Campaign is a relatively new and potent technique. And  Microsoft Defender Antivirus has blocked and detected a large number of PDF files in different sectors that use this technique. SolarMaker RAT IS installed when users open a .doc file Or a .pdf file. Once the user clicks on the links, they will be redirected through 5 to 7 sites with top-level domains like .site, .tk, and .ga. 

These pdf files are hosted on Amazon Web Services (AWS) and Strikingly primarily as noticed by Microsoft experts. SEO poisoning Campaign is delivering a fileless dubbed SolarMarker (aka Jupyter, Polazert, and Yellow Cockatoo), a .NET RAT which is also used to deliver other malicious payloads on the infected devices. SolarMarker uses backdoor skills and allows operators to steal sensitive data from web browsers, it gains persistence by adding itself to the Startup folder and modifying shortcuts on the victims’ desktop. In April, Information Security experts from different regions of the world discover over 100,000 unique web pages that contained popular business terms/particular keywords (i.e. template, invoice, receipt, questionnaire, and resume).

“Operators of the malware known as SolarMarker, Jupyter, other names are aiming to find new success using an old technique: SEO poisoning. They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware,” states Microsoft. “After multiple redirections, users reach an attacker-controlled site, which imitates Google Drive, and are asked to download the file, which is typically the SolarMarker/Jupyter malware, but we have also seen random files being downloaded, a detection/analysis evasion tactic.“

Impact

• Exposure of Sensitive Data
• Credential theft

Indicators of Compromise

Email

• in@jetclubs[.]biz
• ex@exdigy[.]ne

IP

• 92[.]118[.]149[.]238

MD5

• 7be0725643c89e332b0434536a96de50
• 22f39b13e3cf7a296f62bf720611beb6
• 927e2e5292baa585c00681b3e11e60b5

SHA-256

• 3e99b59df79d1ab9ff7386e209d9135192661042bcdf44dde85ff4687ff57d01
• ceb42fea3be898251028e2c5128a69451212bcb48a4871454c60dc2262426677
• ce486097ad2491aba8b1c120f6d0aa23eaf59cf698b57d2113faab696d03c601

SHA1

• b2ed7e45eec9afb74ffbfa90495824945b8a84c7
• a579b4a5ded96bc4c46664a5b8f1c943bf8d430d
• 942c1b5eb8ea14e2fa0d0b83a296cf37c8efa688

Remediation

• Incorporate Known IOCs into IDS
• Phishing Awareness Training
• Microsoft recommends that organizations enable EDR in block mode to block the malware.