Security News > 2021 > April > YIKES! Hackers flood the web with 100,000 pages offering malicious PDFs
Users attempting to download the alleged document templates are redirected, without their knowledge, to a malicious website that hosts the malware.
"Once the RAT is on the victim's computer and activated, the threat actors can send commands and upload additional malware to the infected system, such as ransomware, a credential stealer, a banking trojan, or simply use the RAT as a foothold into the victim's network," researchers from eSentire said in a write-up published on Tuesday.
The cybersecurity firm said it discovered over 100,000 unique web pages that contain popular business terms or keywords such as template, invoice, receipt, questionnaire, and resume, thus allowing the pages to be ranked higher on the search results, and therefore, increasing the likelihood of success.
Once a victim lands on the attacker-controlled website and downloads the document being searched for, it becomes an entry point for more sophisticated threats, ultimately resulting in the installation of a.NET-based RAT called SolarMarker.
"Another troubling aspect of this campaign is that the SolarMarker group has populated many of their malicious web pages with keywords relating to financial documents," said Spence Hutchinson, eSentire's manager of threat intelligence.
"A financial cybercrime group would consider an employee, working in the finance department of a company, or an employee, working for a financial organization, a high value target. Unfortunately, once a RAT is comfortably installed, the potential fraud activities are numerous."