SolarMarker malware puts users at risk
The malware distributed in this campaign is SolarMarker (aka Jupyter, Polazert and Yellow Cockatoo), a .NET RAT that runs in memory and is used by attackers to reduce other payloads on devices. infected.
SolarMarker is designed to provide its masters with a backdoor to attack compromised systems and steal credentials from web browsers.
The data it manages to collect from infected systems is transferred to a control and control server. It will also infiltrate the Startup folder and modify the shortcuts on the victim's computer.
In April, eSentire researchers found that the threat actors behind SolarMarker flooded search results with more than 100,000 websites claiming to offer free office forms (e.g., invoices) , questionnaires, receipts and resumes).
Instead, however, they will act as traps for merchants looking for document templates and unwittingly infected with SolarMarker RAT by drive-by-drive downloads and redirecting searches through Shopify and Google Sites.
In more recent attacks discovered by Microsoft, attackers turned to keyword-stuffed documents hosted on AWS and Strikingly. Currently, they are targeting other sectors, including finance and education.
'Users use thousands of keyword-stuffed PDF documents and SEO links that redirect to malware. The attack works using PDF documents designed to rank search results. To achieve this, the attackers stuffed more than 10 pages of keywords on a variety of topics with these documents, ranging from 'insurance form', 'contract approval', 'how to enter SQL' to the 'math answer'.
When victims find one of the malicious PDFs and open them, they will be prompted to download another PDF or DOC document file containing the information they are looking for. Instead of gaining access to the information, they were redirected through multiple sites using the .site, .tk, and .ga TLDs to a Google Drive clone site containing the SolarMarker malware.
Morphisec researchers discovered that many of the malware's C2 servers are located in Russia, although many are no longer operational.
"TRU has not seen a target after the SolarMarker infiltration, but suspects any possibility, including ransomware, credential theft, fraud, or as a foothold in the victim's network for espionage, or intrusion," added eSentire's Threat Response Unit (TRU).
You should read it
- How to prevent RAT attacks and take control of PC
- What is Safe Malware? Why is it so dangerous?
- Alcohol poisoning: symptoms and treatment
- Risks from malware and how to prevent it
- Sophisticated spam Trojan unmatched
- How many types of malware do you know and how to prevent them?
- What is ARP Poisoning Attack? What can be done to prevent?
- Trojan 2.0 - Implications of Web 2.0 technology
- Yusufali-A - trojan against 'black web'
- Measures to treat and treat food poisoning at home
- Instructions on how to remove multi-platform malware on Facebook Messenger
- Distinguish malware, viruses and Trojan horses