Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

How 'SEO Poisoning' Is Used to Deploy Malware

PDF Documents Stuffed With SEO Keywords Lead to Malware Attacks
How 'SEO Poisoning' Is Used to Deploy Malware
SEO poisoning attacks use thousands of PDFs stuffed with links to malware. (Image: Pixabay)

SolarMarker backdoor malware operators are using "SEO poisoning" techniques to deploy the remote access Trojan to steal sensitive information, Microsoft reports.

See Also: Live Webinar | Improve Cloud Threat Detection and Response using the MITRE ATT&CK Framework

The operators are using thousands of PDF documents stuffed with SEO keywords and links that start a chain of redirections eventually leading to the malware, Microsoft explains via Twitter.

SEO poisoning is an illegitimate technique used to achieve a higher search engine ranking for websites in an effort to spread malware by prompting visitors to these highly ranked websites to download malicious files.

Attack Analysis

In April, cybersecurity firm eSentire found that hackers had flooded the web with 100,000 malicious pages that promised professionals free business forms but were actually delivering malware.

In SEO poisoning attacks, the PDF files, which turn up in search results, often lead a victim into downloading a .doc file or a .pdf version of their desired information. Victims who click on these links are redirected through five to seven sites with TLDs like .site, .tk, and .ga.

"The attack works by using PDF documents designed to rank on search results," Microsoft Security Intelligence wrote in its tweet about the latest efforts of the SolarMarker gang. "To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from 'insurance form' and 'acceptance of contract' to 'how to join in SQL' and 'math answers.'"

Multiple redirection leads a user to an attacker-controlled site that imitates Google Drive and then prompts the user to download a file that contains the SolarMarker malware. But Microsoft researchers also note that they have witnessed random files being downloaded in what appears to be a detection evasion tactic.

Deploying Backdoor

The backdoor malware, SolarMarker - also referred to as Yellow Cockatoo, Jupyter and Polazert - steals data and credentials from browsers. It sends stolen data to a command-and-control server and persists by creating shortcuts in the startup folder as well as modifying shortcuts on the desktop.

Once the RAT is downloaded, a copy of the legitimate Slim PDF reader application is also downloaded.

Microsoft researchers say the attackers likely install the PDF reader application in an effort to convince the victim of the legitimacy of the document they were seeking or as a distraction from the installation of the malware.

Once the RAT is successfully deployed on a victim machine, the attackers can send commands and upload additional malware, such as ransomware, a credential stealer or a banking Trojan, to the infected systems, according to the eSentire report.

During its earlier analysis, eSentire found that the attackers used Google Sites to host malicious documents. But Microsoft researchers recently observed that attackers shifted to using the hosting services Amazon Web Services and Strikingly, and they notified both services.

SEO Poisoning Widespread

Microsoft says that the SEO poisoning technique is widespread, reporting that Microsoft Defender Antivirus has detected and blocked thousands of the hackers' PDF documents in numerous environments.

Researchers at eSentire recommend that organizations - even those using antivirus software - enable EDR in block mode so known malware is stopped.

Spence Hutchinson, manager of threat intelligence for eSentire, says that the infection process relies on exploiting the user, not an application.

"The user simply executes a binary disguised as a PDF to infect the machine. This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code," he says. "Unfortunately, it reveals a glaring blind spot in controls which allow users to execute untrusted binaries or script files at will."


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.