Researchers have discovered a high-effort search engine optimization (SEO) poisoning campaign that appears to target employees from multiple industries and government sectors when they search for specific terms that are relevant to their work. Clicking on malicious search results, which are artificially boosted in ranking, leads visitors to a known JavaScript malware downloader.
“Our findings suggest that the campaign may have influence on a foreign intelligence service by analyzing the themes of blog posts,” researchers from security firm Deepwatch said in a new report. “The threat actors used blog post titles that an individual would search for whose organization might be of interest to a foreign intelligence service, for example, “Confidentiality Agreement for Interpreters “. The threat intel team found that threat actors likely created 192 blog posts on one site.”
How SEO Poisoning Works
Deepwatch came across the campaign while investigating an incident at a client where one of the employees searched for “transition services agreement” on Google and ended up on a website that presented them with what appeared to be a forum thread where one of the users shared a link to a zip file. The zip archive contained a file called “Accounting for transition services agreement” with a .js (JavaScript) extension that was a variant of Gootloader, a malware downloader known in the past to offer a remote access trojan called Gootkit, but also other malware payloads. .
Transition Services Agreements (TSAs) are commonly used during mergers and acquisitions to facilitate the transition of part of an organization after a sale. Since they are used frequently, there are likely to be many resources available for them. The fact that the user saw and clicked on this link suggests that it was displayed in a high ranking.
When they looked at the site hosting the malware delivery page, the researchers realized it was a sports streaming distribution site that, based on its content, was likely legitimate. However, hidden within its structure were more than 190 blog entries on different topics that would be of interest to professionals working in different sectors of the industry. These blog posts are only accessible through Google search results.
“Suspicious blog posts cover topics ranging from government and legal to real estate, medical and education,” the investigators said. “Some blog posts address topics related to business and legal questions or actions specific to US states, such as California, Florida, and New Jersey. Other blog posts address topics relevant to Australia, Canada, New Zealand, the United Kingdom , the United States, and other countries.”
Additionally, the attackers deployed a translation mechanism that automatically translates and generates versions of these blog posts in Portuguese and Hebrew. Some of the topics are very specific and would attract victims from sectors that would be of interest to foreign intelligence agencies, for example, bilateral air services agreements (civil aviation), intellectual property in government contracts ( government contractors) or the Shanghai Cooperation Organization (individuals). working in the media, foreign affairs or international relations). Blog posts are not duplicates of other content on the web, which Google would likely capture and penalize in search results, but are compiled from multiple sources giving the appearance of well-researched original posts.
“Given the Herculean task of researching and creating hundreds of blog posts, it can be assumed that many people are working together,” the researchers said. “However, this task may not be completely unfeasible for a lone individual despite the perceived level of effort required to do it.”
How TAC-011 and Gootloader enable SEO poisoning
Deepwatch attributes this campaign to a group they track as TAC-011 that has been operating for several years and has likely compromised hundreds of legitimate WordPress websites and may have produced thousands of individual blog posts to inflate their search rankings from Google.
Once a visitor clicks on one of the fraudulent search results, they are not taken directly to the blog post, but instead an attacker-controlled script collects information about their IP address, operating system, and the last known visit and then performs a series of checks before. decide whether to show them the benign blog post or the malicious overlay that mimics a forum thread. According to the researchers’ tests, users who received the overlay do not get it again for at least 24 hours. Visitors using well-known VPN services or Tor are not directed to the overlay, and neither are those using operating systems other than Windows.
The zip file linked in the fake forum thread is hosted on other compromised websites that are likely controlled from a central command and control server. The researchers were unable to determine what additional payloads Gootloader deployed on victim machines, as they are likely selected based on the victim’s organization. The malicious JavaScript file also collects information about the victim’s machine, including the variable “%USERDNSDOMAIN%”, which could expose the organization’s internal corporate domain name.
“For example, if a company with a Windows Active Directory environment and a computer connected to the organization’s network were compromised, the adversary would know that they have access to that organization,” the researchers said. “At that point, the threat actor could sell access or drop another post-exploit tool like Cobalt Strike and move laterally into the environment.”
Mitigating SEO Poisoning Attacks
Organizations should train their employees to be aware of these search result poisoning attacks and to never run files with suspicious extensions. This can be enforced via Group Policy to force files with potentially dangerous script extensions such as .js, .vbs, .vbe, .jse, .hta and .wsf to be opened with a text editor such as Block notes instead of running them with the Microsoft Windows-based Host Script Program, which is the default behavior in Windows.
Another non-technical guidance offered by Deepwatch is making sure employees have the agreement templates they need available internally. More than 100 of the blog posts found on that compromised sports streaming site were about some type of commercial deal template. Another 34 were about contracts. Law, shopping, tax and legal were also common keywords. The fake forum thread technique has been in use since at least March 2021 and still works, suggesting that attackers still see it as viable and return a high success rate.
“Having a process where an employee can request specific templates can reduce their need to search for the templates and therefore fall victim to these tactics,” the researchers said.
Copyright © 2022 IDG Communications, Inc.
[ad_2]
Source link
