SolarMarker Backdoor Developers Spread Thousands of Malicious PDFs on the Internet

Malicious PDFs

Attackers are using the old SEO poisoning technique to populate PDFs with keywords.

The team of information security specialists Microsoft Security Intelligence warned users about a huge number of malicious PDF files distributed on the Internet by the developers of the SolarMarker backdoor (Jupyter).

Attackers use the well-known old technique of SEO poisoning to populate PDFs with keywords and links that redirect victims to malware to steal passwords and credentials. Initially, the Google Sites resource was used as hosting, but then the attackers switched to the Amazon Web Services (AWS) and Strikingly platforms.

In April of this year, experts identified a huge number of unique malicious web pages containing popular business terms and specific keywords such as “template”, “invoice”, “receipt”, “questionnaire” and “resume”.

PDF documents are created with the aim of being among the first results of search queries. The cybercriminals filled the files with all sorts of search queries, with more than 10 thousand phrases – from “form of insurance” and “agreement to the terms of the contract” to “answers to mathematical problems.”

Pages or PDFs found in the search trick users into clicking a link, ostensibly to download the required document in PDF or DOC format. The user is then redirected through a series of third-party sites to a resource disguised as a Google Drive page, from where the SolarMarker malware is downloaded.

Catch up on more stories here

Follow us on Facebook here

Leave a Reply