The eSentire Threat Response Unit (TRU) has identified that attackers are using new techniques to lure business professionals to hacker-controlled websites hosted on Google Sites. Moreover, the cybersecurity solutions provider has identified various additional incidents, as well, in the past week.

Strategy

The attackers are using search engine optimization tactics to lure business users to more than 100,000 malicious Google sites.

  • Visiting the infected web pages would install a RAT to gain a foothold on a targeted network. The access inside the target network is further used to infect systems with banking trojans, ransomware, credential-stealers, and other malware.
  • The malicious webpage include popular business terms such as invoice, receipt, questionnaire, and resume.
  • Attackers are using Google search redirection and drive-by-download tactics to infect targeted users with SolarMarker RAT.
  • Anyone visiting the infected site executes a binary masked as a PDF by clicking on a form that infects the visitors’ system.

SolarMarket RAT 

The TRU team analyzed SolarMarket RAT, which is written in the Microsoft .NET framework. It uses multiple decoy applications that are downloaded to the victim’s computer.

  • Most recently, the Slim PDF reader software has been used as a decoy to spread the trojan.
  • This malicious PDF serves as a distraction for victims and acts as an added element of legitimacy to fool the victim.
  • In the last months of 2020, the attackers used several file formats for the decoy app, such as docx2rtf[.]exe, photodesigner7_x86-64[.]exe, Expert_PDF[.]ex, and docx2rtf[.]exe.

Conclusion

The recent attacks indicate that cybercriminals are getting smarter and adding more layers of sophistication to their campaigns. By using a RAT, attackers can harvest employee email credentials and launch a BEC scheme. Therefore, staying alert is key to prevent being compromised by such attacks.