Thousands of devices infected with the SolarMarket Trojan via malicious websites

A recent report notes that a hacking group is employing search engine optimization (SEO) tactics to trick users into attracting them to over 100,000 legitimate-looking malicious websites through the Google browser.

The goal of this campaign is to install a Remote Access Trojan (RAT) on vulnerable devices, which would allow the deployment of subsequent attacks and infections. The eSentire signature experts detected this campaign, mentioning that malicious web pages appear in browser results when the user searches for terms related to invoices, receipts, questionnaires and resume.

Hackers use search redirection and direct download methods to redirect users to Trojan download sites identified as SolarMarket (also known as Jupyter, Yellow Cockatoo or Polazert). Users who visit a compromised website are infected almost immediately after entering these pages via a malicious PDF file.

For experts, this is a highly sophisticated campaign with enormous potential reach: “Hackers have been able to exploit an obvious blind spot in network security controls, allowing users to run binaries or script files that are untrusted at will.”

In their report the researchers detailed a recent incident in which a user in the financial industry became a victim of a cyberattack after downloading a malicious document from a website controlled by cybercriminals. For experts, members of the financial services industry are the ideal target of such malicious campaigns, as they have access to multiple sources of sensitive information.

About the Trojan used by hackers, researchers note that once it has been installed on the victim’s device, the RAT could load additional malware for the theft of login credentials and online account hijacking: “Hackers could also install information thieves in this way, collecting email credentials to launch an enterprise email engagement scheme” , the report states.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.