Threat actors are using SEO techniques to persuade business users to visit fraudulent Google pages that appear to be legitimate. Read on to know more about it…
End users searching for common business types such as invoices, receipts, or other templates are directed to hacker-controlled Google-hosted domains through research-motor optimization or Search Engine Optimisation (SEO).
Hackers are using SEO techniques to entice business customers to over 100,000 malicious Google websites that appear legitimate but instead install a Remote Access Trojan (RAT), which is used to gain a foothold on a network and then infect devices with ransomware, credential-stealers, banking trojans, and other malware.
Remote Access Trojan (RAT) is an acronym for Remote Access Trojan. A backdoor for administrative control over the target computer is included in a RAT malware program that pretends to be something it is not.
In a study report released recently scientists noted that eSentire’s Menace Reaction Device (TRU) discovered legions of distinct, malicious web web pages that contain common small business terms/individual search phrases, including organization-form related keywords like template, invoice, receipt, questionnaire, and resume.
Observations
Threat actors guide unsuspecting victims to the RAT — known as SolarMarker through eSentire by using Google lookup redirection and push-by-down download practises (a.k.a. Jupyter, Yellow Cockatoo and Polazert). In the normal situation, a web user visits an infected web page by simply clicking on a purported “form” to execute a binary disguised as a PDF, infecting the user’s computer.
The researchers wrote “This is an progressively widespread trend with malware delivery, which speaks to the improved security of apps these as browsers that handle vulnerable code,” The researchers added “Unfortunately, it reveals a glaring blind spot in controls, which lets consumers to execute untrusted binaries or script information at will.”
In reality, the campaign is sophisticated as well as far-reaching.
According to the study, the common organisation terms serve as keywords for the threat actors’ search-optimization technique, effectively convincing Google’s web crawler that the intended content material satisfies conditions for a higher website page-rank ranking, indicating that the malicious web pages would appear at the top of customer queries.
Commenting on the development, Spence Hutchinson, Supervisor of Danger Intelligence for eSentire, said “Security leaders and their groups want to know that the menace group guiding SolarMarker has absent to a good deal of exertion to compromise business enterprise professionals, spreading a broad net and using quite a few practices to efficiently disguise their traps,”
Working Mechanism
Unlike the LinkedIn spearphishing campaign mentioned by eSentire last week, which used email and LinkedIn platforms, this campaign uses Google search redirection and the drive-by-download method to set traps for victims.
The victim is initially attacked while looking for business forms such as invoices, questionnaires, and receipts. The user is then routed to a malicious website where the RAT malware is hosted after he downloads the document template.
When an unwitting potential victim lands on this page, the page displays download buttons for the file they were looking for. The requested text, as well as the SolarMarker (a.k.a. Yellow Cockatoo, Jupyter, and Polazert) RAT and a copy of Slim PDF, a legal PDF reader, are downloaded onto the victim’s machine when they press the download button.
The motivation for downloading Slim PDF is unknown at this time. It’s thought to have been downloaded to give the user a false sense of security and trust. The threat actors will then send commands and upload additional files to the infected device once SolarMarker is active on the victim’s computer.
Financial-Sector Based Cyberattack
Researchers explain a recent incident in which a victim in the financial industry was looking for a free version of a document online and was redirected to a Google sites page operated by threat actors, which included an embedded download button, via Google Search.
According to the researchers, an individual working in the financial sector will be a “high-value target” of the operation, offering attackers a variety of ways to hack an enterprise and commit the cybercrime.
Researchers said “Once a RAT has been installed on a victim’s computer, the threat actors can upload additional malware to the device, such as a banking trojan, which could be used to hijack the online banking credentials of the organization,” Cybercriminals could also use this method to mount a credential-stealer, harvesting the employee’s email credentials and launching a Business Email Compromise (BEC) scheme.
“Unfortunately, once a RAT is comfortably installed, the potential fraud activities are numerous,” researchers noted.