100,000 Google Sites Used to Install SolarMarker RAT

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,120
Content source
https://threatpost.com/google-sites-solarmarket-rat/165396/
Hackers are using search-engine optimization (SEO) tactics to lure business users to more than 100,000 malicious Google sites that seem legitimate, but instead install a remote access trojan (RAT), used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware.

eSentire’s Threat Response Unit (TRU) discovered legions of unique, malicious web pages that contain popular business terms/particular keywords, including business-form related keywords like template, invoice, receipt, questionnaire and resume, researchers observed, in a report published Wednesday.

Attackers use Google search redirection and drive-by-download tactics to direct unsuspecting victims to the RAT—tracked by eSentire as SolarMarker (a.k.a. Jupyter, Yellow Cockatoo and Polazert). Typically a person who visits the infected site simply executes a binary disguised as a PDF by clicking on a purported “form” — thus infecting his or her machine.

“This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code,” researchers wrote. “Unfortunately, it reveals a glaring blind spot in controls, which allows users to execute untrusted binaries or script files at will.”
Click to expand...
threatpost.com

100,000 Google Sites Used to Install SolarMarker RAT

Search-engine optimization (SEO) tactics direct users searching for common business forms such as invoices, receipts or other templates to hacker-controlled Google-hosted domains.
threatpost.com threatpost.com
 
  • Wow
  • +Reputation
  • Like
Reactions: Venustus, Gandalf_The_Grey, Moonhorse and 9 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,513
The threatpost.com articles are sometimes imprecise. For example, the below fragment can be wrongly understood:

"Typically a person who visits the infected site simply executes a binary disguised as a PDF by clicking on a purported “form” — thus infecting his or her machine."

This fragment can suggest that the infection may come automatically after clicking something on the infected website. But in fact, the user also has to use a standard web browser button "Open the file". The problem is that the executable file can be prepared to look like a document, so the user can be tricked to execute it while thinking that he/she opens a document.

From the original article:
"The infection process relies on exploiting the user, not an application. The user simply executes a binary disguised as a PDF to infect the machine. This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code. Unfortunately, it reveals a glaring blindspot in controls which allow users to execute untrusted binaries or script files at will."
www.esentire.com

Hackers Flood the Web with 100,000 Malicious Pages, Promising…

Business professionals search google for free office forms (invoices, questionnaires, and receipts) but get served a RAT
www.esentire.com www.esentire.com
 
  • Like
Reactions: Venustus, JB007, Gandalf_The_Grey and 1 other person
silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,120
Andy Ful said:
The threatpost.com articles are sometimes imprecise. For example, the below fragment can be wrongly understood:

"Typically a person who visits the infected site simply executes a binary disguised as a PDF by clicking on a purported “form” — thus infecting his or her machine."

This fragment can suggest that the infection may come automatically after clicking something on the infected website. But in fact, the user also has to use a standard web browser button "Open the file". The problem is that the executable file can be prepared to look like a document, so the user can be tricked to execute it while thinking that he/she opens a document.

From the original article:
"The infection process relies on exploiting the user, not an application. The user simply executes a binary disguised as a PDF to infect the machine. This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code. Unfortunately, it reveals a glaring blindspot in controls which allow users to execute untrusted binaries or script files at will."
www.esentire.com

Hackers Flood the Web with 100,000 Malicious Pages, Promising…

Business professionals search google for free office forms (invoices, questionnaires, and receipts) but get served a RAT
www.esentire.com www.esentire.com
Click to expand...

Why those people from threatpost still earning their money for such articles if details are may be wrong or just written to be misinterpreted... ;)

I just waiting for comments like "this kind of attack isn't like a real threat for home users"
 
  • Like
  • +Reputation
Reactions: Venustus, JB007, Gandalf_The_Grey and 1 other person
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Solarmarker Malware Uses Novel Techniques to Persist on Hacked Systems
Replies
1
Views
964
News Archive
Kongo
Kongo
silversurfer
    • Like
    • +Reputation
Gootkit malware abuses VLC to infect healthcare orgs with Cobalt Strike
Replies
0
Views
701
News Archive
silversurfer
silversurfer
upnorth
    • Like
    • +Reputation
    • Thanks
Dangerous BatLoader Malware Dropper
Replies
3
Views
1,899
News Archive
oldschool
oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top