Security News > 2021 > June > Microsoft: SEO poisoning used to backdoor targets with malware
Microsoft is tracking a series of attacks that use SEO poisoning to infect targets with a remote access trojan capable of stealing the victims' sensitive info and backdooring their systems.
The malware delivered in this campaign is SolarMarker, a.NET RAT that runs in memory and is used by attackers to drop other payloads on infected devices.
In more recent attacks spotted by Microsoft, the attackers have switched to keyword-stuffed documents hosted on AWS and Strikingly, and are now targeting other sectors, including finance and education.
"They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware," Microsoft said.
"The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from 'insurance form' and 'acceptance of contract' to 'how to join in SQL' and 'math answers'."
Ga TLDs to a cloned Google Drive web page where they are served the last payload, the SolarMaker malware.