Malware Uses SEO and PDF Documents To Steal Passwords


Malware: Microsoft has confirmed that it is investigating a series of attacks that use keywords (SEO) in PDF documents to infect users’ equipment. According to the company’s report, this remote access trojan (RAT) is able to steal sensitive data in web browsers and change desktop shortcuts, leading victims to malicious websites.

The new scam was alerted by Microsoft on June 11 this year and reported that the malware used is SolarMaker (also known as Jupyter, Polazert and Yellow Cockatoo). This .NET RAT then relies on a gateway that provides its controllers with access to infected devices, performing in-memory data collection actions and a backdoor to systems considered to be compromised.

This information-stealing technique is a classic known as “SEO poisoning” and uses search engines to spread malware. In the new version, scammers host pages on Google Sites as bait to catch the unsuspecting, through PDF document downloads, campaigns to boost good search engine rankings, and a Google Drive mimesis to build credibility.

“When opened, PDFs prompt users to download a .doc file or a .pdf version of the desired information. Users who click on the links are redirected through 5-7 sites with TLDs such as .site, .tk, and .ga.” , said Microsoft. “After multiple redirects, users arrive at an intruder-controlled website that mimics Google Drive and are prompted to download the file.”

Investigation and protection against the RAT

So far, Microsoft and threat protection companies have been tracking the source of the SolarMaker malware, and researchers believe its founders are Russian, as errors in the Russian-to-English translation were detected during RAT analysis. In addition, they found that many of the malware’s C2 servers are located in Russia, despite most of them being down.

To protect yourself from the scam, the most recommended actions are to avoid downloading through suspicious pages (especially if they require you to send replies or forms), have antivirus enabled and use password and VPN managers, as they are the safest ways to keep equipment away from hackers and ensure the safety of online navigation.