Security News > 2021 > June > Microsoft: SEO poisoning used to backdoor targets with malware
Microsoft is tracking a series of attacks that use SEO poisoning to infect targets with a remote access trojan capable of stealing the victims' sensitive info and backdooring their systems.
The malware delivered in this campaign is SolarMarker, a.NET RAT that runs in memory and is used by attackers to drop other payloads on infected devices.
In more recent attacks spotted by Microsoft, the attackers have switched to keyword-stuffed documents hosted on AWS and Strikingly, and are now targeting other sectors, including finance and education.
"They use thousands of PDF documents stuffed w/ SEO keywords and links that start a chain of redirections eventually leading to the malware," Microsoft said.
"The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from 'insurance form' and 'acceptance of contract' to 'how to join in SQL' and 'math answers'."
Ga TLDs to a cloned Google Drive web page where they are served the last payload, the SolarMaker malware.
News URL
Related news
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft spots XCSSET macOS malware variant used for crypto theft (source)
- Microsoft Uncovers New XCSSET macOS Malware Variant with Advanced Obfuscation Tactics (source)
- Microsoft Teams tactics, malware connect Black Basta, Cactus ransomware (source)
- Microsoft admits GitHub hosted malware that infected almost a million devices (source)
- Microsoft: New RAT malware used for crypto theft, reconnaissance (source)
- Microsoft Trust Signing service abused to code-sign malware (source)
- Microsoft Trusted Signing service abused to code-sign malware (source)
- New Android malware uses Microsoft’s .NET MAUI to evade detection (source)
- Android Malware Exploits a Microsoft-Related Security Blind Spot to Avoid Detection (source)