Google Sites blight: Over 100,000 web pages for business form searches overrun with backdoor RATs

eSentire warns of remote-access trojans masquerading as PDFs

More than 100,000 web pages hosted by Google Sites are being used to trick netizens into opening business documents booby-trapped with a remote-access trojan (RAT) that takes over victims' PCs and hands control to miscreants.

Infosec outfit eSentire on Tuesday said it has noted a wave of so-called search redirection shenanigans, in which people Googling for business forms and the like are shown links to web pages published via Google Sites – a Google-hosted web service – that offer a download of whatever materials they were looking for. After clicking on a button to fetch the desired file, the mark is taken to a different site entirely.

Those sites download a Windows executable, masquerading as a PDF or Microsoft Word file, that when opened installs the RAT, meaning a victim has to be duped into running the malicious software after fetching it. The Google Sites pages include common business terms like "template," "invoice," "receipt," "questionnaire," and "resume," in order to convince Google's search algorithm that the pages are relevant for those searches.

"Once the target lands on a site controlled by the hacker, the page shows download buttons for the document template they were searching," eSentire explained in a post provided ahead of publication to The Register. "When clicked, the business professional is redirected (unknowingly) to a malicious website which serves up an executable disguised as a PDF document or a Word document."

Using the Google Search query below, which looks for the text label used in one of the download buttons that fetches a malicious executable, many of these booby-trapped pages could still be found at the time this story was filed.


Be advised, in case it's not obvious, that if you copy and paste this search string into your browser, you should not be clicking any download buttons encountered on any of the search results pages that Google returns.

Google, photo by lightpoet via Shutterstock

Google: You know we said that Chrome tracker contained no personally identifiable info? Yeah, about that...


In an attack observed by eSentire, the ill-intentioned executable, designed to look like a .pdf, simultaneously installed the SolarMarker RAT and a copy of the Slim PDF Reader, a legitimate app bundled with the RAT, presumably to distract from the malware installation.

With SolarMarker installed, those running the campaign can send remote commands and upload other files to the infected system.

Spence Hutchinson, manager of threat intelligence for eSentire, said the reliance on user interaction to deliver malware is a testament to the increasing security of browsers. "Unfortunately, it reveals a glaring blindspot in controls which allow users to execute untrusted binaries or script files at will," he said.

SolarMarker has been spotted by other security companies, which have referred to as variously as Jupyter, Yellow Cockatoo, and Polazert. eSentire said it first became aware of the RAT in October, when the malware was dropping tracking files on infected hosts and using Shopify and PDF-embedded links for redirection.

Initially, it used a decoy file docx2rtf.exe to conceal the download and installation of Microsoft's .NET framework. It was later seen using two other decoy applications, photodesigner7_x86-64.exe and Expert_PDF.exe, and is now using the Slim PDF Reader.

The attack path involves a Google Sites page controlled by the attacker with an embedded download button that's served from an attacker-controlled host. A click on the button fetches the executable payload disguised as a PDF over several IPv6 addresses, mostly using .tk and .ml domains. The client triggers the executable by opening the supposed PDF, which then installs .NET functionality for the RAT as a .tmp executable. The RAT then invokes PowerShell and contacts potential command-and-control servers.

A spokesperson for eSentire said Google has been informed of the security company's findings but has not responded. The Register asked Google for comment, and we've not heard back. ®

Broader topics

Other stories you might like

  • Google opens the pod doors on Bay View campus
    A futuristic design won't make people want to come back – just ask Apple

    After nearly a decade of planning and five years of construction, Google is cutting the ribbon on its Bay View campus, the first that Google itself designed.

    The Bay View campus in Mountain View – slated to open this week – consists of two office buildings (one of which, Charleston East, is still under construction), 20 acres of open space, a 1,000-person event center and 240 short-term accommodations for Google employees. The search giant said the buildings at Bay View total 1.1 million square feet. For reference, that's less than half the size of Apple's spaceship. 

    The roofs on the two main buildings, which look like pavilions roofed in sails, were designed that way for a purpose: They're a network of 90,000 scale-like solar panels nicknamed "dragonscales" for their layout and shimmer. By scaling the tiles, Google said the design minimises damage from wind, rain and snow, and the sloped pavilion-like roof improves solar capture by adding additional curves in the roof. 

    Continue reading
  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading

Biting the hand that feeds IT © 1998–2022