website positioning Poisoning Marketing campaign Laces Your Zoom And TeamViewer Installs With BATLOADER Malware

SEO Poisoning Example
A cybersecurity agency only recently found a search engine marketing (website positioning) poisoning marketing campaign meant to dupe customers into putting in malware on their computer systems. The marketing campaign works by leveraging varied website positioning strategies, resembling cramming tons of key phrases into the supply code of assorted malicious webpages, with the intention to elevate these webpages close to the highest of the search outcomes for varied productiveness purposes which are free to obtain.

The Mandiant group discovered that this marketing campaign has two completely different an infection chains. The primary an infection chain targets customers on the lookout for software program bundles. A person who searches for one thing like “free software program growth instruments set up” may even see a compromised web site among the many search outcomes on the primary web page and go to that website. If the person downloads and runs the software program installer on the compromised website, it would set up respectable software program, however bundled with that software program is BATLOADER malware.

As soon as the BATLOADER malware is executed as a part of the set up course of, a multi-stage an infection chain begins, the place every stage includes downloading and executing a further malicious payload. Considered one of these payloads incorporates malicious VBScript embedded inside a respectable inner element of Home windows, AppResolver.dll. Regardless of the malicious VBScript, the DLL pattern’s code signature stays legitimate, which is a matter that Microsoft tried to deal with with a patch for CVE-2020-1599.

In a later stage of this assault chain, the malicious payload installs further malware, in addition to ATERA. Nevertheless, the second assault chain skips over the earlier steps and installs ATERA immediately.

Read Also:  Knowledge-Pushed search engine marketing Firm, Miron Digital Reveals Digital Marke...
Faux message board with a obtain hyperlink for a malicious package deal.

This second assault chain targets customers on the lookout for particular software program, quite than software program bundles. When a person searches for “free TeamViewer set up,” for instance, one of many high outcomes will hyperlink to a compromised web site that abuses a Visitors Path System (TDS). The TDS will try to direct unsuspecting customers to a malicious web site, whereas displaying a respectable webpage to safety researchers attempting to seek out malware.

Customers directed to the malicious web site will discover a message board with a obtain hyperlink for what seems to be respectable software program, however is de facto the ATERA Agent Installer Package deal. ATERA is respectable Distant Monitoring and Administration (RMM) software program, however the risk actors on this case use it to run pre-configured scripts, carry out malicious duties, set up persistent malware, and at last uninstall itself, as soon as its work is finished.

Based on Mandiant, a few of the assault chain exercise overlaps with strategies utilized in CONTI ransomware operations. The risk group behind this website positioning poisoning marketing campaign could also be replicating CONTI strategies, by drawing on coaching paperwork, playbooks, and instruments that had been leaked by a disgruntled CONTI affiliate in August 2021.

Mandiant’s report on the website positioning poisoning marketing campaign incorporates additional particulars, together with a few of the malicious domains getting used within the marketing campaign, in addition to MD5 hash values of malicious packages used within the marketing campaign.