System Force I.T.

This malware PDF steals your data and passwords

This malware PDF steals your data and passwords
SolarMarker malware steals a users data and password with PDF files

The malware known as ‘SolarMarker’ that steals data and passwords is spreading in a unique way.

What and how does it happen?


Attacks who use SolarMarker utilize PDF documents that are packed with search engine optimization (SEO) keywords to increase the exposure of the documents on search engines, directing users to malware on a malicious site impersonating as Google Drive.

The attackers are “seeking for new success by employing an old tactic known as SEO poisoning”, according to Microsoft Security Intelligence on Twitter. The malware, they went on to say, steals data and credentials from browsers.

Hackers are distributing malicious files, that are filled with key searched phrases, to users via Google’s search engine… Source: Twitter

SEO poisoning is a well-known malware that used to use search engines to spread and target victims. However, attackers are now imitating as a friendly download website, like Google Drive, where they can download their file.  They filled the PDF documents with various popular search terms, like ‘insurance form’, ‘math answers’ and ‘acceptance of contact’.

The cyber criminals used Google Sites to host sites that served as bait for the malware downloads. As documents were already SEO heavy, it just meant that it would be higher up the rankings on Google, equalling more clicks by victims.


The attack works by using PDF documents designed to rank on search results. To achieve this, attackers padded these documents with >10 pages of keywords on a wide range of topics, from “insurance form” and “acceptance of contract” to “how to join in SQL” and “math answers”.

Microsoft Security Intelligence Team via Twitter



Microsoft Security Intelligence also identified that they were using Amazon Web Services, and Strikingly’s free website hosting service alongside Google Sites – to upload their malware documents onto.

Microsoft continues to document the malware saying, ‘when the link to download the .pdf file or .doc file is clicked, the user is then redirected to several malicious sites ending with .site, .tk and .ga.’ After being redirected through several malicious websites, the user is finally bought to the imitation website of Google Drive.

To trick people into thinking the file is genuine, a clone of the Google Drive website was created. Source: Twitter

What can I do about it?


System Force IT offers various different anti-virus and anti-malware software, tailored to your business needs.

Having several layers of protection and filters, for e-mails, internet browsing, and file downloads is vital for a business.

Not only digital security is key, but to have different types of backups and encryption within your systems is just as important.

We provide all the systems and networking businesses need to stay safe in the digital era – so please do get in contact for any information.



System Force IT provides 24/7 IT support and engineering help with all our services. Our IT infrastructure management team are responsible for the backbone of your business. Monitoring and maintaining both physical and virtual services in real-time.