Hackers use search engine optimization tactics (SEO) to lure business users to more than 100.000 malicious Google sites that appear to be legitimate but actually install a Remote Access Trojan (RAT) - SolarMarket - which is used to break into a network and then "infect" systems with ransomware, credential-stealers, banking trojans and other malware.
Its Threat Response Unit (TRU) ESentire discovered malicious sites that contain popular business terms / specific keywords, including business-form keywords such as template, invoice, receipt, questionnaire and CV, researchers said in a report published on April 14.
The attackers use Google search redirection and drive-by-download tactics to direct unsuspecting victims to RAT - which has been dubbed "SolarMarket" by eSentire (other names it has received are Jupyter, Yellow Cockatoo and Polazert). Usually, a person who visits the "infected" site simply runs a PDF binary, clicking on a so-called "form" - thus infecting his device.
In addition, the researchers noted the following: "This is an increasingly common trend in malware distribution. "Unfortunately, this reveals a strong blind spot in the controls, which allows users to run unreliable binaries or script files."
This is a malicious campaign that is not only extensive but also complex.
The most common business terms serve as keywords for the threat optimization search strategy, convincing the Google web crawler that the content qualifies for high page rank, which means that malicious sites will appear at the top of searches users, according to the report. This increases the likelihood that victims will be tempted to visit infected sites.
Spence Hutchinson, director of threat intelligence at eSentire, said: "Security leaders and their teams need to be aware that the hackers behind SolarMarket have made a lot of efforts to hit business professionals, spread a wide net and use a lot of tactics to successfully cover their traps. »
Researchers describe a recent case in which a financially active victim searched for a free online document and was redirected via Google Search to a hacker-controlled Google sites page with a built-in button. download.
According to the researchers, someone working in the financial sector would be the "high value target" of the campaign, giving the attackers various methods to break into an organization and commit cybercrime.
In addition, the researchers noted the following: "Once a RAT is installed on the victim's computer, hackers can distribute additional malware on the device, such as a banking trojan, which could be used to violate the organization's online banking credentials. Hackers could also set up a credential-stealer this way to collect an employee's email credentials and launch an attack. BEC (Business Email Compromise). "Unfortunately, once a RAT is installed, the potential for fraudulent activities is high."
According to TRU, RAT is written in Microsoft .NET framework and has used various decoy applications that are downloaded to a victim's computer and appear to belong there. More recently, the TRU noted that Slim PDF reader software was the decoy that was downloaded. This serves as a distraction, as well as an additional element to convince the victim that he is downloading a PDF.
In the last months of 2020, hackers used other types of files for decoy apps, including the docx2rtf.exe, photodesigner7_x86-64.exe, Expert_PDF.ex and docx2rtf.exe, according to the report.
Source of information: threatpost.com