The Mandiant group discovered that this marketing campaign has two completely different an infection chains. The primary an infection chain targets customers on the lookout for software program bundles. A person who searches for one thing like “free software program growth instruments set up” may even see a compromised web site among the many search outcomes on the primary web page and go to that website. If the person downloads and runs the software program installer on the compromised website, it would set up respectable software program, however bundled with that software program is BATLOADER malware.
As soon as the BATLOADER malware is executed as a part of the set up course of, a multi-stage an infection chain begins, the place every stage includes downloading and executing a further malicious payload. Considered one of these payloads incorporates malicious VBScript embedded inside a respectable inner element of Home windows, AppResolver.dll. Regardless of the malicious VBScript, the DLL pattern’s code signature stays legitimate, which is a matter that Microsoft tried to deal with with a patch for CVE-2020-1599.
In a later stage of this assault chain, the malicious payload installs further malware, in addition to ATERA. Nevertheless, the second assault chain skips over the earlier steps and installs ATERA immediately.
Customers directed to the malicious web site will discover a message board with a obtain hyperlink for what seems to be respectable software program, however is de facto the ATERA Agent Installer Package deal. ATERA is respectable Distant Monitoring and Administration (RMM) software program, however the risk actors on this case use it to run pre-configured scripts, carry out malicious duties, set up persistent malware, and at last uninstall itself, as soon as its work is finished.
Based on Mandiant, a few of the assault chain exercise overlaps with strategies utilized in CONTI ransomware operations. The risk group behind this website positioning poisoning marketing campaign could also be replicating CONTI strategies, by drawing on coaching paperwork, playbooks, and instruments that had been leaked by a disgruntled CONTI affiliate in August 2021.
Mandiant’s report on the website positioning poisoning marketing campaign incorporates additional particulars, together with a few of the malicious domains getting used within the marketing campaign, in addition to MD5 hash values of malicious packages used within the marketing campaign.