Attackers behind the malware, known as SolarMarker, use PDF documents that contain search engine optimization (SEO) keywords to increase their visibility in search engines, leading potential victims to malware on a website that mimics Google Drive.<\/p>\n\n\n\n
SolarMarker is a backdoor malware that steals data and credentials from infected browsers.<\/p>\n\n\n\n
The hacker’s host pages on Google pages that serve as a lure for malicious downloads.<\/p>\n\n\n\n
The malicious software is primarily aimed at North American users.<\/p>\n\n\n\n
Once opened, the PDFs ask users to download a doc or pdf file, which then redirects users to 7 pages of TLDs such as. site,. tk and. ga. <\/p>\n\n\n\n
After several redirects, users arrive at a page that is very similar to Google Drive but actually controlled by the attackers.<\/p>\n\n\n\n
The page then exfiltrates stolen data to a command-and-control server and continues by creating shortcuts in the startup folder and modifying shortcuts on the desktop.<\/p>\n\n\n\n
The SEO poisoning technique seems to be very effective since Microsoft 365 Defender has blocked thousands of pdf documents in different environments.<\/p>\n\n\n