Security News > 2021 > June > Malicious PDFs Flood the Web, Lead to Password-Snarfing

The pushers behind the SolarMarker backdoor malware are flooding the web with PDFs stuffed with keywords and links that redirect to the password-stealing, credential-snarfing malware.

The attackers have expanded their range, according to Microsoft Security Intelligence, whose researchers have seen them shift from originally using Google Sites to now primarily using Amazon Web Services and the Strikingly free website builder service.

In April, when the threat actors were focused on Google Sites, eSentire's Threat Response Unit discovered legions of unique, malicious web pages containing popular business terms/particular keywords, including business-form related keywords like "Template," "Invoice," "Receipt," "Questionnaire" and "Resume," researchers observed at the time.

The attackers were using search-engine optimization tactics to lure business users to more than 100,000 malicious Google sites that looked legitimate.

The researchers said that Microsoft 365 Defender data show that this particular flavor of SEO poisoning - as in, packing the PDFs full of common, oft-used keywords and links to their rigged sites - is working quite well for the SolarMarker attackers.

Blocking the Bursting-With-Bad PDFs. Microsoft recommends that organizations that aren't using Microsoft Defender Antivirus, Microsoft Defender for Endpoint to alert for the malicious files and behaviors can enable endpoint detection and response in block mode to stop unknown malware in the security product they're using.

News URL

https://threatpost.com/rotten-pdfs-flood-web-password-snarfing/166932/