The attack works by using PDF documents designed to rank on search results. Instead of getting the coveted document they are redirected to through multiple sites to end up at a page where they download the Polazert Trojan. Once victims have downloaded the PDF file they thought they were looking for, they are prompted to download another document that supposedly contains the information they set out to find. DistributionĪccording to Microsoft Security Intelligence, attackers have started using PDF files full of keywords that have a high SEO ranking, so that their links show up prominently in search results. To gain persistence on an infected system it adds shortcuts to the Startup folder and changes existing shortcuts. To achieve this, collected data is sent to a C&C server. Trojan.Polazert is specifically designed to steal credentials from browsers and provide an attacker with a backdoor that allows them to further compromise infected systems.
This RAT runs in memory and is used by attackers to install additional malware on affected systems. Trojan.Polazert aka SolarMarker has gone back and fine-tuned an old tactic known as SEO-poisoning to plant their Remote Access Trojan (RAT) on as many systems as possible.
0 kommentar(er)
