SolarMarker RAT Spreading Through SEO Poisoning

Updated on 2022-10-03

Digital adversaries behind the SolarMarker malware crippled a global tax consulting firm by camouflaging fake Chrome browser updates as part of watering hole attacks. Read more: SolarMarker Attack Leverages Weak WordPress Sites, Fake Chrome Browser Updates

Overview

SolarMarker is a remote access trojan (RAT) that steals data and access credentials. Microsoft says that attackers trying to spread SolarMarker have been using PDF documents loaded with search engine optimization keywords to try to trick users into visiting malicious websites.

Note:

• These documents, which masquerade as legitimate documents users may otherwise be looking for, are hard to have users not open. Even so, users can be made aware of the technique and trained to use caution when a document is prompting them to load more documents for the information requested. Endpoint protections, to include filtering of malicious sites, are key to preventing this sort of attack.
• Understanding the distribution vector for malicious code may be more useful in resisting it than knowing its capabilities.

Read more in:

• Microsoft Security Intelligence
• Microsoft: SEO poisoning used to backdoor targets with malware
• This data and password-stealing malware is spreading in an unusual way

The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from “insurance form” and “acceptance of contract” to “how to join in SQL” and “math answers”.

— Microsoft Security Intelligence (@MsftSecIntel) June 11, 2021