SolarMarker Malware Stealing User Information Through PDFs

The hackers behind the malware called SolarMarker have begun using an innovative and unexpected means of distributing their poisoned code.

They’ve started publishing PDF documents filled with SEO (Search Engine Optimization) keywords in a bid to boost the visibility of malicious websites that pose as Google Drive, but in fact, are simply repositories for the malware itself.

A potential victim may get an email containing a PDF promising detailed information on attractive insurance rates or attractive credit card deals. Clicking on the links in the PDF will redirect the victim to a site designed to look like Google Drive, with instructions to download a different file on the drive. It is the act of clicking the file on the drive that dooms the user.

SEO is a tried and true marketing tactic used by legitimate business owners to drive traffic to their sites, co-opted, in this case, for a nefarious purpose. Unfortunately, it has proven to be a wildly effective thus far.

As to the malware itself, SolarMarker is a backdoor malware that steals login credentials and other data from web browsers. So it’s not harmful on its own, but it makes it easier for the hackers controlling it to introduce damaging malware down the road and/or steal a victim’s identity.

Crowdstrike was the first company to sound the alarm when researchers at the company first discovered the unusual marketing campaign for the malware. Note that thus far, at least, SolarMarker’s makers seem to have focused the bulk of their attention on North America.

PDFs have been used for a very long time to deliver malicious payloads, but the unusual methodology used here makes this attack noteworthy. Be on your guard against any PDFs you or your staff receive from unknown, un-trusted sources. Clicking links embedded in those files may net you much more than you bargained for, and not in a good way.