Microsoft observed a large number of attacks that use SEO poisoning Campaigns to deliver Remote Access Trojans (RAT) to steal confidential data. SEO poisoning Campaign is a relatively new and potent technique. And Microsoft Defender Antivirus has blocked and detected a large number of PDF files in different sectors that use this technique. SolarMaker RAT IS installed when users open a .doc file Or a .pdf file. Once the user clicks on the links, they will be redirected through 5 to 7 sites with top-level domains like .site, .tk, and .ga.
These pdf files are hosted on Amazon Web Services (AWS) and Strikingly primarily as noticed by Microsoft experts. SEO poisoning Campaign is delivering a fileless dubbed SolarMarker (aka Jupyter, Polazert, and Yellow Cockatoo), a .NET RAT which is also used to deliver other malicious payloads on the infected devices. SolarMarker uses backdoor skills and allows operators to steal sensitive data from web browsers, it gains persistence by adding itself to the Startup folder and modifying shortcuts on the victims’ desktop. In April, Information Security experts from different regions of the world discover over 100,000 unique web pages that contained popular business terms/particular keywords (i.e. template, invoice, receipt, questionnaire, and resume).
“Operators of the malware known as SolarMarker, Jupyter, other names are aiming to find new success using an old technique: SEO poisoning. They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware,” states Microsoft. “After multiple redirections, users reach an attacker-controlled site, which imitates Google Drive, and are asked to download the file, which is typically the SolarMarker/Jupyter malware, but we have also seen random files being downloaded, a detection/analysis evasion tactic.“