Several professionals who had searched the internet for professional forms such as invoices, questionnaires, and receipts were lured into downloading a RAT to their system. It has been found that over 100,000 unique pages contain the terms “template”, “invoice”, “receipt”, “questionnaire”, and “resume”.
RAT stands for Remote Access Trojan. A RAT is a malware program that includes a back door for administrative control over the target computer by posing to be something it is not.
Unlike the LinkedIn spearphishing campaign reported by eSentire last week that utilized email and LinkedIn channels, this campaign lays long-standing traps for victims using Google search redirection and the drive-by- download method.
How is the attack carried out?
The attack begins with the victim searching for business forms such as invoices, questionnaires and receipts. He then downloads the document template, at which point of time, the user is redirected to a malicious website where the RAT malware is hosted.
Once the potential victim unknowingly lands on this page, the page shows buttons to download the file they were searching for. On clicking the download button, the desired document is downloaded onto the victim’s computer along with the SolarMarker (a.k.a Yellow Cockatoo, Jupyter, and Polazert) RAT, and a copy of Slim PDF, a legitimate PDF reader.
As of this moment, the intention of downloading Slim PDF is not yet known. It is believed that it may be downloaded to instal a false sense of security and confidence. Once SolarMarker is active on the victim’s computer, the threat actors can send commands and upload additional files to the infected system.
On further analyzing the source code of the embedded button page, a link to a .tk domain is revealed.
Upon inspecting the source code of the embedded download button at passiondiamond(.)site, researchers found an entirely different .tk domain, indicating a possibility that these redirect pathways are dynamic and can be changed for either operational security or delivery efficacy.