MALWARE ALERT 100,000 Google Sites Used to Install SolarMarker RAT

silversurfer

Level 71
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,020
Hackers are using search-engine optimization (SEO) tactics to lure business users to more than 100,000 malicious Google sites that seem legitimate, but instead install a remote access trojan (RAT), used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware.

eSentire’s Threat Response Unit (TRU) discovered legions of unique, malicious web pages that contain popular business terms/particular keywords, including business-form related keywords like template, invoice, receipt, questionnaire and resume, researchers observed, in a report published Wednesday.

Attackers use Google search redirection and drive-by-download tactics to direct unsuspecting victims to the RAT—tracked by eSentire as SolarMarker (a.k.a. Jupyter, Yellow Cockatoo and Polazert). Typically a person who visits the infected site simply executes a binary disguised as a PDF by clicking on a purported “form” — thus infecting his or her machine.

“This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code,” researchers wrote. “Unfortunately, it reveals a glaring blind spot in controls, which allows users to execute untrusted binaries or script files at will.”
 

Andy Ful

Level 68
Verified
Trusted
Content Creator
Dec 23, 2014
5,780
The threatpost.com articles are sometimes imprecise. For example, the below fragment can be wrongly understood:

"Typically a person who visits the infected site simply executes a binary disguised as a PDF by clicking on a purported “form” — thus infecting his or her machine."

This fragment can suggest that the infection may come automatically after clicking something on the infected website. But in fact, the user also has to use a standard web browser button "Open the file". The problem is that the executable file can be prepared to look like a document, so the user can be tricked to execute it while thinking that he/she opens a document.

From the original article:
"The infection process relies on exploiting the user, not an application. The user simply executes a binary disguised as a PDF to infect the machine. This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code. Unfortunately, it reveals a glaring blindspot in controls which allow users to execute untrusted binaries or script files at will."
 

silversurfer

Level 71
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,020
The threatpost.com articles are sometimes imprecise. For example, the below fragment can be wrongly understood:

"Typically a person who visits the infected site simply executes a binary disguised as a PDF by clicking on a purported “form” — thus infecting his or her machine."

This fragment can suggest that the infection may come automatically after clicking something on the infected website. But in fact, the user also has to use a standard web browser button "Open the file". The problem is that the executable file can be prepared to look like a document, so the user can be tricked to execute it while thinking that he/she opens a document.

From the original article:
"The infection process relies on exploiting the user, not an application. The user simply executes a binary disguised as a PDF to infect the machine. This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code. Unfortunately, it reveals a glaring blindspot in controls which allow users to execute untrusted binaries or script files at will."

Why those people from threatpost still earning their money for such articles if details are may be wrong or just written to be misinterpreted... ;)

I just waiting for comments like "this kind of attack isn't like a real threat for home users"
 
Top