Malicious PDFs Flood the Web, Lead to Password-Snarfing
SolarMarker makers are using SEO poisoning, stuffing thousands of PDFs with tens of thousands of pages full of SEO keywords & links to redirect to the malware.
The pushers behind the SolarMarker backdoor malware are flooding the web with PDFs stuffed with keywords and links that redirect to the password-stealing, credential-snarfing malware.
Microsoft Security Intelligence said in a Tweet on Friday that the SolarMarker (also known as Jupyter) makers are looking for new success by using an old technique: Search Engine Optimization (SEO) poisoning. They’re stuffing thousands of PDF documents with SEO keywords and links that start a chain of redirects that eventually leads to the malware.
The attackers have expanded their range, according to Microsoft Security Intelligence, whose researchers have seen them shift from originally using Google Sites to now primarily using Amazon Web Services (AWS) and the Strikingly free website builder service.
In April, when the threat actors were focused on Google Sites, eSentire’s Threat Response Unit (TRU) discovered legions of unique, malicious web pages containing popular business terms/particular keywords, including business-form related keywords like “template,” “invoice,” “receipt,” “questionnaire” and “resume,” researchers observed at the time.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25413510/Generate_Image_Circular_Neon_Portal.jpg)
