On many occasions we find PDF files when we search for something on the Internet. Modern browsers manage to open these documents immediately, as if they were traditional web pages, and that is something that some criminals are taking advantage of to infect users with viruses.

We are talking about the malware known as SolarMarker, virus that uses the «SEO poisoning«, Which uses keyword-laden PDF documents to appear in the top positions of Google when we search for various information, leading users to a malicious site masquerading as Google Drive.

Microsoft describes it as a backdoor malware, capable of stealing browser data and credentials.

This technique called SEO poisoning is not new, many times something like this has been practiced to spread malware within search engines, but using thousands of optimized PDFs, with links that lead to the real threat, is something quite original.

Users tend to trust PDF files, and if there is a link in any of them, the likelihood of someone clicking increases. In this case the information was related to insurance forms, SQL tutorials and answers to mathematical problems, as indicated On twitter the Microsoft Security Intelligence team.

In February Solarmaker was distributed in North America on Google Sites pages. Over time they have also started to use AWS and the Strikingly service to save the files that contain the links to the threats.

Generally the PDF asks the user to download a .doc file or a .pdf file with the complete information. Upon clicking, users automatically start opening 5-7 sites with .site, .tk, and .ga. Finally, the redirect dizziness ends up on a site controlled by an attacker who mimics Google Drive, where they ask for the file to be downloaded.

Users who they open the PDF, click on the link, see the redirect to various sites, end up in the google Drive clone and install the malicious file, they may suffer from data theft to problems related to modification of shortcuts.