Search-engine optimisation (SEO) tactics direct users searching for common business forms such as invoices, receipts, or other templates to hacker-controlled Google-hosted domains.
Hackers are using search-engine optimisation (SEO) tactics to tempt business users to more than 100,000 malicious Google sites that seem legitimate, but instead install a remote access trojan (RAT), used to gain a foothold on a network & later infect systems with ransomware, credential-stealers, banking trojans & other malware.
Malicious Web Pages
eSentire’s Threat Response Unit (TRU) discovered many unique, malicious web pages that contain popular business terms/particular keywords, including business-form related keywords like template, invoice, receipt, questionnaire & resume, researchers observed, in a report published Wed.
Attackers use Google search redirection & drive-by-download methods to direct unsuspecting victims to the RAT—tracked by eSentire as Solar Marker (a.k.a. Jupyter, Yellow Cockatoo & Polazert). Usually, a person who visits the infected site simply executes a binary disguised as a PDF by clicking on a supposed “form”, thus infecting his or her machine.
“This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code,” researchers explained. “Unfortunately, it reveals a glaring blind spot in controls, which allows users to execute untrusted binaries or script files at will.”
However, the campaign is not only far-reaching, but also sophisticated.
These common business terms serve as keywords for the threat players’ search-optimisation method, convincing Google’s web crawler that the intended content meets conditions for a high page-rank score, which means the malicious sites will appear at the top of user searches, explains the report.
This increases the possibility that victims will be lured to infected sites.
“Security leaders & their teams need to know that the threat group behind Solar Marker has gone to a lot of effort to compromise business professionals, spreading a wide net & using many tactics to successfully disguise their traps,” said Spence Hutchinson, Manager of Threat Intelligence for eSentire.
Researchers describe a recent incident in which a victim in the financial industry was searching for a free version of document online & was redirected via Google Search to a Google sites page controlled by threat players, that included an embedded download button.
Anyone in the financial industry would be a “high-value target” of the campaign, giving attackers various techniques to compromise an organisation & commit cyber-crime, researchers noted.
“Once a RAT has been installed on a victim’s computer, the threat actors can upload additional malware to the device, such as a banking trojan, which could be used to hijack the online banking credentials of the organisation,” they commented.
Threat players also could install a credential-stealer in this way, to harvest the employee’s email credentials & launch a business email compromise (BEC) scheme.
“Unfortunately, once a RAT is comfortably installed, the potential fraud activities are numerous,” researchers noted.
Microsoft .NET Framework
The TRU team also ‘looked under the bonnet’ of the RAT itself, which they outlined is written in the Microsoft .NET framework & has used various ‘decoy applications’ that download to a victim’s computer & would appear to belong. More recently, TRU observed that the Slim PDF reader software was the lure being downloaded.
“This serves as a distraction, as well as an additional element to help convince the victim that they are downloading a PDF,” researchers commented.
Over the final months of 2020, attackers used other file formats for the decoy app, including docx2rtf.exe, photodesigner7_x86-64.exe, Expert_PDF.ex, & docx2rtf.exe, concludes the report.