Toxic SEO Campaign Distributes Malware-Infected Versions of Common Software

Toxic SEO Campaign Distributes Malware-Infected Versions of Common Software

Short News:- 

"SEO poisoning" attacks boost the search engine rankings of malicious websites. Users searching for apps such as TeamViewer, Visual Studio and Zoom are infected. A BATLOADER payload is bundled in an installer along with the legitimate software. The malware then serves as a stepping stone to download additional executables.

Detailed News:- 

A persistent SEO poisoning attack campaign has been observed, exploiting trust in legitimate software utilities to trick users into downloading BATLOADER malware on compromised machines. This attack is ongoing.

To trick people into visiting a compromised website and installing a malicious installer, the threat actor used SEO keywords like "free productivity apps installation" or "free software development tools installation," according to Mandiant researchers in a report released this week.

Anti-malware groups use "SEO poisoning" attacks to boost the search engine rankings of malicious websites so that users searching for apps such as TeamViewer, Visual Studio, and Zoom are infected with the malware.

Additionally, a BATLOADER payload is bundled in an installer along with the legitimate software, and this payload is executed during the installation process. The malware then serves as a stepping stone to download additional executables that propagate the multi-stage infection chain into the targeted organization.

In one of those executables, a malicious VBScript has been added to a tampered version of an internal Microsoft Windows component. A technique known as signed binary proxy execution is then used by the attackers to run the DLL file through the legitimate "Mshta.exe" utility.

Once the VBScript code has been executed, the next phase of the attack can begin, which includes the delivery of additional payloads like Atera Agent, Cobalt Strike Beacon, and Ursnif to aid in remote reconnaissance, privilege escalation, and credential harvesting.

Atera remote monitoring management software was delivered directly as the result of the initial compromise in another variant of the same campaign, showing that operators were experimenting with different strategies.

There are similarities between these attacks and those used by the Conti ransomware gang in August 2021, which Mandiant has highlighted. As a result of the public release of this information, other unaffiliated actors may be using the techniques for their own purposes and goals," the researchers said.