100,000 Google Sites Used to Install SolarMarker RAT

Google sites security hacked

Search-engine optimization (SEO) tactics direct users searching for common business forms such as invoices, receipts or other templates to hacker-controlled Google-hosted domains.

Hackers are using search-engine optimization (SEO) tactics to lure business users to more than 100,000 malicious Google sites that seem legitimate, but instead install a remote access trojan (RAT), used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware.

eSentire’s Threat Response Unit (TRU) discovered legions of unique, malicious web pages that contain popular business terms/particular keywords, including business-form related keywords like template, invoice, receipt, questionnaire and resume, researchers observed, in a report published Wednesday.

Attackers use Google search redirection and drive-by-download tactics to direct unsuspecting victims to the RAT—tracked by eSentire as SolarMarker (a.k.a. Jupyter, Yellow Cockatoo and Polazert). Typically a person who visits the infected site simply executes a binary disguised as a PDF by clicking on a purported “form” — thus infecting his or her machine.

“This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code,” researchers wrote. “Unfortunately, it reveals a glaring blind spot in controls, which allows users to execute untrusted binaries or script files at will.”

Indeed, the campaign is not only far-reaching but also sophisticated.

The common business terms serve as keywords for the threat actors’ search-optimization strategy, aptly convincing Google’s web crawler that the intended content meets conditions for a high page-rank score, which means the malicious sites will appear at the top of user searches, according to the report. This increases the likelihood that victims will be lured to infected sites.

“Security leaders and their teams need to know that the threat group behind SolarMarker has gone to a lot of effort to compromise business professionals, spreading a wide net and using many tactics to successfully disguise their traps,” said Spence Hutchinson, manager of threat intelligence for eSentire.

Source: threatpost.com