Be Careful What You Search For: A RAT Poisons 100K Web Pages
Published: May 19 , 2021 on our newsletter Security Fraud News & Alerts Newsletter.
Researchers from eSentire discovered more than 100,000 malicious web pages linked to particular Google searches. Like many people, business professionals use Google as a search engine tool for work. The infected web pages use SEO (search engine optimization) tactics that target keyword searches for free templates, invoices, receipts, resumes, and more that are frequently used in business. Business-related Google searches don’t typically raise eyebrows, but when they’re used by cybercriminals to install a RAT (remote access trojan) on a device, they get noticed.
The RAT Has a Name
The RAT behind the infections is named SolarMarker, also known as Yellow Cockatoo, Polazert, and Jupyter. The SolarMarker RAT was first seen in 2020, using Shopify for web page redirection to the malicious web pages by using an attached PDF. Now, this latest redirection method changed to become part of Google searches for business forms.
Also, part of this new approach includes a legitimate, free copy of Slim PDF reader. Researchers speculate the Slim PDF is used to add legitimacy or as a decoy for the attached malware PDF. The 100,000 web pages discovered by eSentire use the popular business keywords to get higher rankings on search results, increasing the likeliness they will unknowingly be used as the RATs infection enabler.
The RAT Finds a Home
The SolarMarker RAT infection starts by leveraging these mundane business form searches as a steppingstone to infiltrate a system. Users are unknowingly redirected to a malicious web page that hosts RAT malware. The searched document is available on the page in a PDF or Word document, and one click to download the desired PDF business form activates the RAT.
Once done, the bad actors have control of the infected device and can remotely send commands to upload additional malware like ransomware, credential stealers, and banking trojans. Or the RAT can be used as entryway into a victim’s entire network. Either way, your device is infected and can lead to others on the same network being infected as well.
Keep in mind that phishing is the most common way RATs and other malware make it into a network. Remind all users to be on the lookout for links and attachments in email messages and texts that may lead to this type of incident. Typos, poor grammar and punctuation, as well as the senders be unknown or using generic language are dead giveaways that a rat of some type may follow.
Most recently, the hacking group behind SolarMarker leveraged a similarly-styled incident on an employee in the financial industry. Those working in a financial department or for a financial company are considered a high value target by hackers. The staffer used a Google search to find a free version of an online document also by using keyword searches. They too were redirected to a Google site page commandeered by threat actors. That’s a serious problem for the financial industry because once a RAT is installed and functioning, the opportunities for fraudulent crimes are abundant. So, be careful what you search for.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org