How ‘SEO Poisoning’ Is Used to Deploy Malware

Criminals targeting business people with malware-laden documents

SolarMarker backdoor malware operators are using “SEO poisoning” techniques to deploy the remote access Trojan to steal sensitive information, Microsoft reports. SEO poisoning attacks use PDFs stuffed with links to malware that is used to steal data and credentials from browsers.

Attack Analysis
In April, cybersecurity firm eSentire found that hackers had flooded the web with 100,000 malicious pages that promised professionals free business forms but were actually delivering malware.

In SEO poisoning attacks, the PDF files, which turn up in search results, often lead a victim into downloading a .doc file or a .pdf version of their desired information. Victims who click on these links are redirected through five to seven sites with TLDs like .site, .tk, and .ga.

“The attack works by using PDF documents designed to rank on search results,” Microsoft Security Intelligence wrote in its tweet about the latest efforts of the SolarMarker gang. “To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from ‘insurance form’ and ‘acceptance of contract’ to ‘how to join in SQL’ and ‘math answers.'”

Multiple redirections lead a user to an attacker-controlled site that imitates a Google Drive and then prompts the user to download a file that contains the SolarMarker malware. But Microsoft researchers also note that they have witnessed random files being downloaded in what appears to be a detection evasion tactic.

During its earlier analysis, eSentire found that the attackers used Google Sites to host malicious documents. But Microsoft researchers recently observed that attackers shifted to using the hosting services Amazon Web Services and Strikingly, and they notified both services.

SEO Poisoning Widespread
According to Microsoft, SEO poisoning is widespread, and tools such as Microsoft Defender Antivirus has detected and blocked thousands of the hackers’ PDF documents from infecting users’ computers.

Other security experts point to a consistent weak point, the user. Ensuring that employees know to only download from trusted sites, not just ones that rank highly on google, and providing updated education on business threats that exist in the online environment are key to keeping your organization safe.

If you have questions about IT security or evolving threats, call ITPAC today.