Security News > 2021 > April > 100,000 Google Sites Used to Install SolarMarker RAT
Hackers are using search-engine optimization tactics to lure business users to more than 100,000 malicious Google sites that seem legitimate, but instead install a remote access trojan, used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware.
Attackers use Google search redirection and drive-by-download tactics to direct unsuspecting victims to the RAT-tracked by eSentire as SolarMarker.
The common business terms serve as keywords for the threat actors' search-optimization strategy, aptly convincing Google's web crawler that the intended content meets conditions for a high page-rank score, which means the malicious sites will appear at the top of user searches, according to the report.
"Security leaders and their teams need to know that the threat group behind SolarMarker has gone to a lot of effort to compromise business professionals, spreading a wide net and using many tactics to successfully disguise their traps," said Spence Hutchinson, manager of threat intelligence for eSentire.
Researchers describe a recent incident they observed in which a victim in the financial industry was searching for a free version of document online and was redirected via Google Search to a Google sites page controlled by threat actors that included an embedded download button.
"Once a RAT has been installed on a victim's computer, the threat actors can upload additional malware to the device, such as a banking trojan, which could be used to hijack the online banking credentials of the organization," they said.