"This Data and Password-Stealing Malware Is Spreading in an Unusual Way"

The operators of SolarMarker malware are using PDF documents consisting of many Search Engine Optimization (SEO) keywords to increase visibility on search engines and lead potential victims to the malware on a malicious site posing as Google Drive. According to Microsoft, SolarMarker is a backdoor malware aimed at stealing data and credentials from browsers. SEO poisoning is a technique in which search engines are used for spreading malware. In the case of SolarMarker, the attackers behind it have been using thousands of PDFs filled with keywords and links that redirect unsuspecting victims across many sites towards one that installs the malware. The PDF documents used in the attack are designed to rank on search results by being padded with more than ten pages of keywords related to a wide range of topics such as insurance forms, math answers, and more. CrowdStrike brought attention to SolarMarker in February for using the same SEO poisoning method. Users in North America were largely targeted by the malware. The SolarMarker malware operators hosted pages on Google Sites as lures for malicious downloads. The sites promoted document downloads and were found to be highly ranked in search results. According to Microsoft researchers, the attackers have started using Amazon Web Services (AWS) and Strikingly's service in addition to Google Sites. Data from Microsoft 365 Defender shows that the SEO poisoning technique has been effective as the Microsoft Defender Antivirus has detected and blocked thousands of these PDFs in a lot of environments. This article continues to discuss the use of malicious PDF documents and pages to spread SolarMarker malware. 

ZDNet reports "This Data and Password-Stealing Malware Is Spreading in an Unusual Way"