Cybercriminals have once again relied on search engine promotion techniques to lure employees and CEOs into seemingly legitimate websites. However, the end goal of the attackers was to install a trojan that opens remote access to the infected system (RAT). During this campaign, the attackers used business-relevant queries, mainly related to various forms: invoices, templates, surveys, and receipts. As a result, users who tried to download such templates were stealthily redirected to a malicious site.

According to the researchers, they found more than 100,000 unique web pages that contain popular business keywords.

Having studied the infection chain, experts came to the conclusion that the SolarMarker malware (also known as Yellow Cockatoo, Jupyter and Polazert) is used in the attacks. As a rule, the malware was disguised as a harmless PDF file, which, upon opening, immediately installed a trojan that provides cybercriminals with remote access. In parallel with this, the Slim PDF software was also installed for cover.

Source: anti-malware.ru