Search engine optimization (SEO) tactics direct users searching for common business forms, such as invoices, receipts, or other templates, to hacker-controlled Google-hosted domains.
Hackers are using search engine optimization (SEO) tactics to lure business users to over 100,000 malicious Google sites that appear legitimate, but instead install a remote access trojan (RAT), which is used to establish itself on a network and then infect systems with ransomware, credential thieves, banking Trojans, and other malware.
ESentire’s Threat Response Unit (TRU) discovered legions of unique and malicious web pages containing popular business terms / particular keywords, including keywords related to business forms such as template, invoice, receipt, questionnaire, and resume, researchers observed. , in a report released Wednesday.
Attackers use Google search redirection and “drive-by-download” tactics to direct unsuspecting victims to the RAT, tracked by eSentire as SolarMarker (aka Jupyter, Yellow Cockatoo, and Polazert). Typically, a person visiting the infected site simply runs a binary file disguised as PDF by clicking on a so-called “form”, thus infecting their machine.
“This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code,” the researchers wrote. “Unfortunately, it reveals an obvious blind spot in the controls, allowing users to run untrusted binaries or script files.”
In fact, the campaign is not only powerful, but also sophisticated.
Common business terms serve as keywords for threat actors’ search optimization strategy, aptly convincing Google’s web crawler that the desired content meets the conditions for a high score on page rank, which means malicious sites will appear at the top of user searches. according to the report. This increases the likelihood that victims will be lured to infected sites.
“Security leaders and their teams should know that the threat group behind SolarMarker has gone to great lengths to engage business professionals, spreading a wide network and using many tactics to successfully disguise their traps,” said Spence Hutchinson. , Threat Intelligence Manager. for eSentire.
Author: Elizabeth Montalbano
Consult at: https://threatpost.com/google-sites-solarmarket-rat/165396/