A new RAT i.e Remote Access Trojan has been found that is spreading via more than 100,000 websites that offer malicious documents and PDFs capable of yielding a multitude of cyberattacks.

Malicious RATs from over 100,000 websites:

According to established security experts, this is known as a search engine poisoning approach adopted by malicious actors that are trapping victims into what appear to be authentic Google websites but carry the malicious RAT.

Detailing the deployment of the RAT, the cyberattack operates by exploiting the commonly attributed searches for business forms like templates, receipts, invoices, questionnaires.

Subsequently, when victims attempt to download these document templates they are redirected to malicious websites that carry the RAT.

When the RAT gets downloaded on a victim’s device or system, it gets activated to transmit malicious commands by the malicious actors.

These commands can further upload supplementary malware like payloads, credential stealers, ransomware, banking trojan, or can employ the RAT as a foothold into the victim’s network.

Expert analytics of the RATs:

“Once a victim lands on the attacker-controlled website and downloads the document being searched for, it becomes an entry point for more sophisticated threats, ultimately resulting in the installation of a .NET-based RAT called SolarMarker (aka Yellow Cockatoo, Jupyter, and Polazert)” noted security experts

Over 100,000 such unique websites have been allegedly found to be spreading the malicious RAT using well-integrated business keywords

Keywords help websites rank higher on search engine indices, therefore, extending their probability of getting clicked by the search engine user.

In a peculiar case that was investigated for the RAT deployment, it was found that when an employee of a financial institution downloaded an infected PDF, the launched attack deployed the RAT alongside an authentic version of Slim PDF to remain under the radar.

Also read,

Perhaps the other concerning facet of the cyberattack campaign is the SolarMarker threat group that has flooded multitudes of malicious websites with keywords attributed to financial documents.

Mitigating risks:

Since search engines are such a vital component of the cyberage, it would be inconsequential to hinder users from using them, however, it is always wise to abstain from downloading documents from untrusted sources, even if they are available on authentic search engines.