15 April 2021

Cybercriminals deploy SolarMarker RAT via Google Sites


Cybercriminals deploy SolarMarker RAT via Google Sites

Malicious actors are leveraging search-engine optimization (SEO) tactics to trick business professionals into visiting hacker-controlled websites, hosted on Google Sites that deliver a remote access trojan (RAT).

Researchers from eSentire’s Threat Response Unit (TRU) said they discovered over 100,000 malicious web pages containing popular business terms/particular keywords, such as template, invoice, receipt, questionnaire, and resume.

“These common business terms serve as keywords for the threat actors’ search optimization strategy, convincing Google’s web crawler that the intended content meets conditions for a high PageRank score,” the experts explained.

Once the victim visits an attacker-controlled website, they are presented with download buttons for the document template they were searching, but in reality, these buttons lead to a malicious website that serves up an executable disguised as a PDF document or a MS Word document.

Once the user opens the document, malware is installed onto the victim’s computer. The malware in question is the SolarMarker RAT, also tracked as Yellow Cockatoo, Jupyter, and Polazert, used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware. First spotted in October 2020, SolarMarker is written with the .NET software framework.

Over the last months of 2020, the attackers used docx2rtf.exe, photodesigner7_x86-64.exe, Expert_PDF.ex, and docx2rtf.exe file formats for the decoy app. However, in most recent attacks the threat actors have switched to the Slim PDF reader app, a legitimate application for reading PDFs, “either in an effort to convince the victim of the legitimacy of the document they were seeking or as a distraction from the installation of the RAT.”

“As with any RAT, once SolarMarker is active, the threat actors can send commands and upload additional files to the infected system. The TRU has not yet observed actions-on-objectives following a SolarMarker infection, but suspect any number of possibilities, including ransomware, credential theft, fraud, or as a foothold into the victim networks for espionage or exfiltration operations,” the researchers said.

Back to the list

Latest Posts

Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024
Sophisticated malware campaign targeting end-of-life routers and IoT devices

Sophisticated malware campaign targeting end-of-life routers and IoT devices

A recent campaign targeted over 6,000 ASUS routers in less than 72 hours.
27 March 2024