SEO poisoning attack delivers malware-laced installers for popular apps

Trojanized Zoom, TeamViewer, Visual Studio installers pushed via SEO poisoning campaigns

Keyword scam leads to multi-stage attacks delivering malicious versions of professional applications

Batloader and Atera Agent malware slipped on devices via a campaign focused on the compromise of legitimate websites. The search engine optimization – SEO poisoning^[1] campaign was discovered to abuse the trust in legitimate search engines and software tools used for productivity.

Users got tricked into downloading malware via free software development tools installation content online. SEO keywords lured victims to malicious websites where layers triggering downloads of malicious programs were hidden.^[2]

Once landed on the compromised site with malicious files, users get tricked into downloading malware disguised as popular applications. Once such installers get executed, victims unknowingly launch the malware and remote access trojans.^[3]

These SEO poisoning attacks rely on advertisements increasing search engine rankings of websites hosting these malware pieces. Showing up at the top of search results, these sites fake the legitimacy, and people who search for particular TeamViewer, Visual Studio, Zoom, or other applications get infected with malware instead. The site that appears might be the original and genuine one, but redirect end up shooting the malicious URLs to users.

One malware installation loading additional executables and multi-stage infection chain

The particular installers can include the software that brought people there, so the installation f the threat is not noticed quickly. The bundle, however, contains the Batloader malware payload that is immediately executed during the installation process. This particular malware can gain access to various parts of the machine and download other files, install viruses. This is the method used to spread additional infections undetected.

Additional executables include the trojanized version of the Microsoft Windows component that is appended with the malicious VBScript. The attack leverages another malicious technique here. Signed binary proxy execution allows running the DLL file using the legitimate utility.^[4]

Once that is done the launching of the particular script triggers another stage of this attack and leads to the delivery of payloads. Atera Agent, Cobalt Strike, and Ursnif^[5] get downloaded on the machine. These particular trojans can perform remote access, code execution attacks, privilege escalation, and obtain various sensitive information.

SEO poisoning becoming more common and dangerous

Actors behind such attacks can experiment with various tools and deploy different malware. These campaigns can deliver the Atera remote monitoring management program directly on the machine. Such intruders can lead to further compromise of the machine and even the follow-up activities after the exploitation.

Reports show the big jump in such attacks. SolarMarker malware was recently also spread using advanced SEO poisoning methods. Sophos researchers reported that the fake SEO-focused topics on Google Groups and malicious PDF files triggered the installation of the threat.

Researchers^[6] report and note about the major issues related to the significant amount of SEO poisoning attacks that come from downloader-as-as-service operations:

These SEO efforts, which leveraged a combination of Google Groups discussions and deceptive web pages and PDF documents hosted on compromised (usually WordPress) websites, were so effective that the SolarMarker lures were usually at or near the top of search results for phrases the SolarMarker actors targeted

The particular backdoor and information-stealing malware was initially detected in the 2020 attacks. This three mainly get installed when users visit the site from the Google search result list. SEO poisoning helps attackers to plant malware-laced URLs at the top and trick users into downloading fake Windows installers running PowerShell scripts.