0
/ Published in Uncategorized

SolarMarker malware spread through advanced SEO poisoning – TechTarget

Getty Images/iStockphoto
A malware actor used their own brand of SEO poisoning to distribute malicious files, according to research published Tuesday by Sophos.
Sophos’ latest report concerns SolarMarker, a backdoor and information-stealing malware that was initially detected in late 2020. The malware was typically installed when victims visited a Google search result that has been planted near the top of a search due to threat actors’ search engine optimization (SEO) poisoning. These links are designed to get a user to download a fake Windows installer running a PowerShell script.
While SEO poisoning itself is a well-known technique, the effectiveness of this particular approach is one thing that makes this campaign stand out, Sophos said in its report.
“These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted,” the report read.
SophosLabs senior threat researcher Sean Gallagher, who co-authored the report, said one reason this is unusual is that a significant amount of SEO poisoning comes from “downloader-as-a-service” operations and not individual operators.
“SEO poisoning used to be a lot more common of a technique, but it’s been much more rare recently because it’s not as effective for targeted attacks,” he told SearchSecurity. “Most of the SEO poisoning we see now is part of paid malware distribution services, which we see as a small but pervasive part of information-stealing malware and crypto-fraud malware operations; it’s rare for a malware operator to create their own SEO poisoning infrastructure, but it still happens.”
The report touched on three SEO manipulation methods used to distribute SolarMarker. With the first, operators created Google Groups with 500-600 fake posts named after various search terms to make the group appear populated. The post comments would contain PDF links that redirected to malicious .msi installs.
In the second method, SolarMarker actors created a malicious PDF file to appear in search results. The PDF contained links to PDF or document downloads for the search result, which then redirected to a Windows installer.
With the third method, threat actors used deceptive WordPress sites containing HTML code.
“The HTML source for these malicious pages contain link collections for other search terms, all connected to other malicious pages on the same compromised server, as part of the mechanism behind the fraudulent SEO campaign,” the report read.
A few of the search terms SolarMarker exploited included “university,” “worksheet,” “application” and “handbook.” One example offered by Sophos included “good-choice-bad-choice-worksheet-for-kids.msi.”
The SEO poisoning was so effective, the report added, that some search terms placed links for all three listed methods within the top 10 Google search results.
Sophos, which first detected the SolarMarker SEO poisoning in October, said the campaign appears to have ceased, but the threats still linger.
“There are currently no active SolarMarker-spreading campaigns, as the final download site used by the operators of the campaign was shut down,” the report read. “But SolarMarker deployments remain active, and while we’ve seen a decline in detections of the malware since November of 2021, the malware has not disappeared. It may be just a matter of time before a new campaign using new infrastructure is launched.”
Asked whether search engine operators can do more to limit the spread of malicious SEO manipulation, Gallagher answered in the affirmative.
“Google and other search engine operators can do more to tweak algorithms to look for fraudulent sites by looking for link farms of unrelated search terms on a page and demoting its page rank or flagging it as potential spam, and by following links deeper in indexing to look for unrelated file downloads,” he said.
Alexander Culafi is a writer, journalist and podcaster based in Boston.
Certifications can help security pros prove their baseline knowledge of infosec topics. Consider adding these top cloud security …
Explore three major multi-tenancy security challenges and how to fix them, including lack of visibility, privilege overallocation…
If your company is using a cloud database provider, it’s critical to stay on top of security. Review the security features …
Organizations interested in implementing SD-WAN need to collect site profiles and requirements, analyze their options, perform …
Palo Alto’s updated PAN-OS software uses machine learning to analyze network traffic in real time, and two firewall appliances …
Not all smartNIC use cases are the same, and not all products offer the same functionality and features. Compare offerings from …
Bjoern Stengel, global sustainability research lead at IDC discusses the trends he’s seeing in the use of sustainable tools and …
Technology leaders share some of the ways they’re focused on lowering their carbon footprint and helping their companies advance …
Although Congress isn’t looking to regulate VR or the metaverse yet, its efforts on antitrust and data privacy could have impacts…
Apple said it will work with Dropbox and Microsoft on the macOS 12.3 problem that prevented their file storage software from …
While Apple devices are vital to many workplaces, they present unique management challenges. Jamf Pro is a device management …
The latest Windows 11 developer build lets people use Voice Access to type characters, add emojis and select text without …
A cloud network engineer juggles a number of responsibilities — from network design and troubleshooting to knowledge of specific…
While there’s no one-size-fits-all approach to a FinOps initiative, these established principles and practices will get you …
Let’s look at the similarities and differences between Amazon RDS and Redshift. Discover key factors, such as price and …
This presentation shows the observations, budgets and broad inititatives in the Middle East for 2022 based on the results of …
Network lifecycle automation firm launches AI/ML-based network planning, optimisation and modelling solution aiming to deliver 5G…
£190,000 job will lead digital, data and technology policy across Whitehall, in charge of the 200-strong Central Digital and Data…
All Rights Reserved, Copyright 2000 – 2022, TechTarget

Privacy Policy
Cookie Preferences
Do Not Sell My Personal Info

source

What you can read next

Biden just had a terrible, horrible, no good, very bad day. And it's going to get worse. – USA TODAY
Urinary Incontinence: Stress And Lifestyle Factors That Can Increase Your Risk | TheHealthSite.com – TheHealthSite
Baby Donkey is Named 'Betty White' to Honor Celebrity Who Donated to Their Animal Sanctuary For Years – LOOK – Good News Network

Leave a Reply

Your email address will not be published. Required fields are marked *