The team behind the SolarMarker malware have been loading it into PDFs and using web search to trick people into downloading them (via ZDNet).
SolarMarker Malware
Microsoft says that SolarMarker/Jupyter is a backdoor that can steal login credentials and other data from browsers. The team is using a technique called “SEO poisoning” as a way to get their web result as high as possible in search results like Google. “In this case, the attackers are using thousands of PDFs filled with keywords and links that redirect the unwary across multiple sites towards one that installs the malware.”
These search results lead people to a website that pretends to be Google Drive. Downloading one of these PDFs will install the malware onto your computer. According to Microsoft, the PDF will ask people to download a .doc file or .PDF version of the search term they’re looking for. People will then be redirected through 5-7 websites with domains like .site, .tk, and .ga. At the end, they will arrive at the fake Google Drive website.
In any case, make sure you have anti-malware installed on your Mac and maybe don’t log into websites where you haven’t manually accessed that website.
Andrew:
Given that this is now in the public domain, one should think that, at least for Safari users, the ‘Fraudulent Website Warning’ feature that one can activate in ‘Settings’ should also alert the user that end site is bogus and not to be trusted.
If not, then this feature needs to be fixed/updated.
It also makes me wonder how actively this feature is updated – perhaps a question TMO could put to Apple (?)