SolarMarker RAT Pushed On 100,000 Google Sites

The SolarMarker RAT is making its way around many websites due to some clever manipulation of Google’s SEO ratings. The attack starts with the potential victim performing a search for business forms such as invoices, questionnaires, and receipts. The attack campaign lays traps for potential victims using Google search redirection and drive-by-download. When a person visits one of the sites they are directed to, the infected site executes a binary disguised as a PDF by clicking on a purported “form.” This will inject the SolarMarker RAT onto their device.

Once the RAT is on the victim’s computer and activated, the threat actors can send commands and upload additional malware to the infected system, such as ransomware, a credential stealer, a banking trojan, or simply use the RAT as a foothold into the victim’s network.

Initial reports and analysis of SolarMarker’s activity came from eSentire earlier this week.

“This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code,” researchers wrote. “Unfortunately, it reveals a glaring blind spot in controls, which allows users to execute untrusted binaries or script files at will.”

Given how difficult it is to master Google’s SEO for many businesses, it is clear that the hackers behind the SolarMarker RAT attacks are using high levels of sophistication in their campaign.

The hackers use common business words as keywords, which dupes Google’s web crawler into believing that the intended content meets conditions for a high page-rank score, which means the malicious sites will appear at the top of user searches, according to the report. This increases the likelihood that victims will be lured to infected sites.

eSentire’s Threat Response Unit (TRU) discovered over 100,000 unique web pages that contain popular business terms/particular keywords: template, invoice, receipt, questionnaire, and resume. In a precursory search, 70,000 unique web pages included the mention of either template or invoice.

“Security leaders and their teams need to know that the threat group behind SolarMarker has gone to a lot of effort to compromise business professionals, spreading a wide net and using many tactics to successfully disguise their traps,” said Spence Hutchinson, manager of threat intelligence for eSentire.

“Once a RAT has been installed on a victim’s computer, the threat actors can upload additional malware to the device, such as a banking trojan, which could be used to hijack the online banking credentials of the organization,” researchers said. Threat actors also could install a credential-stealer in this way, to harvest the employee’s email credentials and launch a business email compromise (BEC) scheme.

“Unfortunately, once a RAT is comfortably installed, the potential fraud activities are numerous,” they noted.

SolarMarker RAT Analysis

This analysis has been provided be eSentire, who have been researching the SolarMarker RAT attacks.

The emerging RAT is written with the .NET software framework, and tracked as Jupyter, Yellow Cockatoo, SolarMarker, and now being tracked as Polazert on twitter. SolarMarker was first observed in early October 2020. Throughout October and November 2020, SolarMarker utilized docx2rtf.exe as a decoy to distract users as the .NET silently installed itself in the background. Red Canary reports SolarMarker changing this decoy application throughout the following months using in September 2020 photodesigner7_x86-64.exe and Expert_PDF.exe in November 2020, while the eSentire continued to see docx2rtf.exe. Researchers have now discovered that the SolarMarker group is using Slim PDF Reader.

The attack chain starts with a google search and ends in the installation of SolarMarker RAT and lesser-known PDF viewer.
Process tree outlining the installation of SolarMarker. Note the Adobe icon on the installer file. The RAT, labeled (unknown), then goes on to install the decoy document and make malicious PowerShell calls.

SolarMarker RAT captures victims via Google Search redirect. Often, clients are looking for a free version or template of a document. In the latest incident observed by researchers, the victim, who works in the financial industry, was redirected to a Google Sites page controlled by the threat actor with an embedded download button. The download button, hosted at passiondiamond[.]site, is easy to customize. Researchers were able to generate a document named “this is a test” for download.

The Download button that is embedded in the Google Site

The decoy program, Slim PDF, serves as an important visual cue for potential victims of SolarMarker but also helps to lower suspicion of malicious intent.

Screenshot from the Slim PDF reader website

The redirection infrastructure passes through a series of .tk TLDs before landing on the final .ml TLD domain. Upon visiting the infrastructure with a VM, no such redirects are experienced. Upon inspecting the source code of the embedded download button at, researchers found an entirely different .tk domain, indicating a possibility that these redirect pathways are dynamic and can be changed for either operational security or delivery efficacy. It’s possible that any number of checks are being performed on the visiting browser and operating system to ensure they are being operated by victims, not security researchers.

SolarMarker’s redirect path from the search result to the final payload site


SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *