Threat actors have been observed to use malicious SEO techniques to distribute SolarMarker, information stealer, and backdoor, also known as Jupyter or Polazert.
Over the past seven months, SophosLabs has monitored a series of new efforts to distribute SolarMarker. This .NET malware usually delivered by a PowerShell installer has information harvesting and backdoor capabilities.
Last October, researchers observed a set of active SolarMarker campaigns that combined search engine optimization (SEO) targeting with custom-made MSI installer packages to deliver the payload.
In the report, SophosLabs detailed that by using malicious SEO techniques, threat actors were able to place links to websites with deceptive content in search results from multiple search engines.
“These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the malware lures were usually at or near the top of search results for phrases the SolarMarker actors targeted,” it said in a press release.
Infected sites attempted to deceive users into downloading a malicious Windows installer, which would, in turn, execute a decoy install program and launch a PowerShell script that installed the malware.
There is currently no active SolarMarker-spreading campaign, but SolarMarker deployments remain active, and the malware has not disappeared.
“The cyber threat landscape moves so fast that it can be tempting for defenders to focus security attention and resources on active or widely used attack approaches, but that could leave organizations with potential security gaps that attackers won’t hesitate to exploit. An example of this is SEO poisoning,” Sean Gallagher, a senior threat researcher at Sophos, is quoted in a press release.
According to Sophos, ransomware operators and other malicious actors currently favor malware delivery methods focused mainly on phishing emails, Remote Desktop Protocol exploitation, and remote code execution vulnerabilities.
“However, there are still some active campaigns that use SEO as a delivery method, including the Solar Marker campaigns we investigated, and these don’t get as much security attention right now. As a result, these SEO-based campaigns can slip under the radar of defenders until it is too late and the payload has already been deployed. Employee education on the risks will help, but a strong defense-in-depth that catches malicious downloads that have slipped through the net is best,” Gallagher said.
More from CyberNews:
Subscribe to our newsletter