SolarMarket RAT Uses Google SEO Tactics to Lure Victims

SolarMarket RAT Uses Google SEO Tactics to Lure Victims

The eSentire Threat Response Unit (TRU) has identified that attackers are using new techniques to lure business professionals to hacker-controlled websites hosted on Google Sites. Moreover, the cybersecurity solutions provider has identified various additional incidents, as well, in the past week.

What has happened?

Visiting the infected web pages would install a RAT to gain a foothold on a targeted network. The access inside the target network is further used to infect systems with banking trojans, ransomware, credential-stealers, and other malware.
The malicious web pages include popular business terms such as invoice, receipt, questionnaire, and resume.
Attackers are using Google search redirection and drive-by-download tactics to infect targeted users with SolarMarker RAT.
Anyone visiting the infected site executes a binary masked as a PDF by clicking on a form that infects the visitors’ system.

About the SolarMarket RAT 


The TRU team analyzed SolarMarket RAT, which is written in the Microsoft .NET framework. It uses multiple decoy applications that are downloaded to the victim’s computer.
Most recently, the Slim PDF reader software has been used as a decoy to spread the trojan.
This malicious PDF serves as a distraction for victims and acts as an added element of legitimacy to fool the victim.
In the last months of 2020, the attackers used several file formats for the decoy app, such as docx2rtf[.]exe, photodesigner7_x86-64[.]exe, Expert_PDF[.]ex, and docx2rtf[.]exe.

Conclusion


The recent attacks indicate that cybercriminals are getting smarter and adding more layers of sophistication to their campaigns. By using a RAT, attackers can harvest employee email credentials and launch a BEC scheme. Therefore, stayi ..

Support the originator by clicking the read the rest link below.