Search Engine Optimization (SEO) techniques are used by hackers to attract corporate users in what seems like a new malware-infecting tactic. Researchers have revealed that over 100,000 fraudulent Google pages that rank as top results thanks to sophisticated SEO and genuine look actually infect users with remote access Trojan (RAT) tracked as SolarMarker, once they land on them and download content from their links.
A recent study by security professionals has noted that specific malicious websites containing common business terms and specific business-form-related keywords, (such as invoice, receipt, template, resume, and others) have been ranking high on Google.
This is a criminal tactic that is growing in popularity in the cybercriminal circles and aims at luring business users into installing the SolarMarker RAT while thinking that they are actually downloading a free online business form.
With the help of Google search redirection and drive-by-downloads, malicious actors can secretly reroute the unsuspecting victims to a RAT-infected page where they unknowingly will execute a binary disguised as a PDF by clicking on a legitimate-looking business “form”, the study explains.
Researchers are noting that the malware-infecting campaign is extensive and sophisticated. Popular business terms and keywords are carefully integrated into the search engine optimization strategy of the RAT-infected pages. These keywords, according to the study, seem to successfully convince Google’s web crawler that the content in the malicious pages meets the criteria for high-ranking, which, in turn, helps them appear in the top results of users’ searches and increases the chance of clicking on them and getting infected.
If a RAT such as SolarMarker (also known as Jupyter, Yellow Cockatoo, and Polazert), is installed on a victim’s machine, the malicious actors that are in control could easily insert additional malware into the system, such as a banking Trojan, spyware, ransomware, or a credential-stealer that can be used to hijack an organization’s online banking credentials or the business correspondence.
Security professionals are warning that criminals behind threats like SolarMarker seem to be working hard to attack business professionals, by expanding their network of malicious sites and employing new tactics, including sophisticated SEO, to disguise their malware effectively.
Therefore, people operating in the business and the financial sector should be on alert for such lures where pages controlled by threat actors distribute free versions of online business documents and templates that include embedded malware in their download buttons.