Google Sites blight: Over 100,000 web pages for business form searches overrun with backdoor RATs
eSentire warns of remote-access trojans masquerading as PDFs
More than 100,000 web pages hosted by Google Sites are being used to trick netizens into opening business documents booby-trapped with a remote-access trojan (RAT) that takes over victims' PCs and hands control to miscreants.
Infosec outfit eSentire on Tuesday said it has noted a wave of so-called search redirection shenanigans, in which people Googling for business forms and the like are shown links to web pages published via Google Sites – a Google-hosted web service – that offer a download of whatever materials they were looking for. After clicking on a button to fetch the desired file, the mark is taken to a different site entirely.
Those sites download a Windows executable, masquerading as a PDF or Microsoft Word file, that when opened installs the RAT, meaning a victim has to be duped into running the malicious software after fetching it. The Google Sites pages include common business terms like "template," "invoice," "receipt," "questionnaire," and "resume," in order to convince Google's search algorithm that the pages are relevant for those searches.
"Once the target lands on a site controlled by the hacker, the page shows download buttons for the document template they were searching," eSentire explained in a post provided ahead of publication to The Register. "When clicked, the business professional is redirected (unknowingly) to a malicious website which serves up an executable disguised as a PDF document or a Word document."
Using the Google Search query below, which looks for the text label used in one of the download buttons that fetches a malicious executable, many of these booby-trapped pages could still be found at the time this story was filed.
Be advised, in case it's not obvious, that if you copy and paste this search string into your browser, you should not be clicking any download buttons encountered on any of the search results pages that Google returns.
Google: You know we said that Chrome tracker contained no personally identifiable info? Yeah, about that...READ MORE
In an attack observed by eSentire, the ill-intentioned executable, designed to look like a .pdf, simultaneously installed the SolarMarker RAT and a copy of the Slim PDF Reader, a legitimate app bundled with the RAT, presumably to distract from the malware installation.
With SolarMarker installed, those running the campaign can send remote commands and upload other files to the infected system.
Spence Hutchinson, manager of threat intelligence for eSentire, said the reliance on user interaction to deliver malware is a testament to the increasing security of browsers. "Unfortunately, it reveals a glaring blindspot in controls which allow users to execute untrusted binaries or script files at will," he said.
SolarMarker has been spotted by other security companies, which have referred to as variously as Jupyter, Yellow Cockatoo, and Polazert. eSentire said it first became aware of the RAT in October, when the malware was dropping tracking files on infected hosts and using Shopify and PDF-embedded links for redirection.
Initially, it used a decoy file
docx2rtf.exe to conceal the download and installation of Microsoft's .NET framework. It was later seen using two other decoy applications,
Expert_PDF.exe, and is now using the Slim PDF Reader.
The attack path involves a Google Sites page controlled by the attacker with an embedded download button that's served from an attacker-controlled host. A click on the button fetches the executable payload disguised as a PDF over several IPv6 addresses, mostly using .tk and .ml domains. The client triggers the executable by opening the supposed PDF, which then installs .NET functionality for the RAT as a .tmp executable. The RAT then invokes PowerShell and contacts potential command-and-control servers.
A spokesperson for eSentire said Google has been informed of the security company's findings but has not responded. The Register asked Google for comment, and we've not heard back. ®