SEO poisoning campaign directs search engine visitors from multiple industries to JavaScript malware

Researchers have uncovered a search engine optimization (SEO) poisoning campaign that appears to target employees across multiple industries and government sectors when they search for specific terms relevant to their jobs. By clicking on malicious search results, which are artificially pushed higher in the rankings, visitors are directed to a known JavaScript malware downloader.

“Our findings suggest that the campaign may have an influence on foreign intelligence services through analysis of blog post topics,” researchers from security firm Deepwatch said in a new report. “Threat actors used blog post titles that an individual would research whose organization a foreign intelligence service might be interested in, for example, “Non-Disclosure Agreement for Interpreters.” The Threat Intel team has discovered that the threat actors most likely created 192 blog posts on a single site.”

How SEO Poisoning Works

Deepwatch came across the campaign while investigating an incident at a client where one of the employees Googled “transition services agreement” and ended up on a website that presented them with what seemed like be a thread where one of the users shared a link to a zip archive. The zip archive contained a file called “Accounting for transition services agreement” with a .js (JavaScript) extension which was a variant of Gootloader, a malware downloader known in the past to deliver a remote access Trojan called Gootkit, but also various other malware payloads. .

Transition Services Agreements (TSAs) are commonly used during mergers and acquisitions to facilitate the transition of part of an organization following a sale. Since they are frequently used, many resources are likely available for them. The fact that the user saw and clicked on this link suggests that it was displayed at the top of the ranking.

Upon examining the site hosting the malware streaming page, researchers realized that it was a sports streaming distribution site which, based on its content, was likely legitimate. However, hidden deep within its structure were more than 190 blog posts on various topics that would be of interest to professionals working in different industry sectors. These blog posts are only accessible through Google search results.

“The suspicious blog posts cover topics ranging from government and law to real estate, medicine and education,” the researchers said. “Some blog posts cover topics related to specific legal and business issues or actions for US states such as California, Florida, and New Jersey. Other blog posts cover topics relevant to Australia, the Canada, New Zealand, United Kingdom, United States, and other countries.”

Additionally, the attackers deployed a translation mechanism that automatically translates and generates versions of these blog posts in Portuguese and Hebrew. Some of the topics are very specific and would attract victims in areas of potential interest to foreign intelligence agencies, for example bilateral air services agreements (civil aviation), intellectual property in government contracts (government contractors) or the ‘Shanghai Cooperation Organization (individuals working in media, foreign affairs or international relations). Blog posts are not duplicates of other web content, which Google would likely intercept and penalize in search results, but rather are compiled from multiple sources giving the appearance of well-researched original posts.

“Given the herculean task of researching and creating hundreds of blog posts, it’s safe to assume that many people are working together,” the researchers said. “However, this task may not be completely impractical for a single person despite the perceived level of effort required to do it.”

How TAC-011 and Gootloader Enable SEO Poisoning

Deepwatch attributes this campaign to a group they track as TAC-011 which has been operating for several years and has likely compromised hundreds of legitimate WordPress websites and may have produced thousands of individual blog posts to inflate their Google search ranking.

Once a visitor clicks on one of the malicious search results, they are not taken directly to the blog post, but instead an attacker-controlled script collects information about their IP address, their operating system and last known visit, then performs a series of checks before deciding whether to show them the benign blog post or the malicious overlay that mimics a thread. According to the researchers’ tests, users who received the overlay do not get it back for at least 24 hours. Visitors using known VPN services or Tor are not directed to the overlay, nor are those using operating systems other than Windows.

The zip file linked in the fake forum thread is hosted on other compromised websites which are likely controlled from a central command and control server. Researchers could not determine which additional payloads Gootloader deployed to victim machines, as they are likely selected based on the victim’s organization. The malicious JavaScript file also collects information about the victim’s machine, including the “%USERDNSDOMAIN%” variable which could expose the company’s internal domain name.

“For example, if a company with a Windows Active Directory environment and a computer connected to the organization’s network were compromised, the adversary would know that they have access to that organization,” the researchers said. “At this point, the threat actor could sell access or abandon another post-exploitation tool like Cobalt Strike and move laterally through the environment.”

Mitigating SEO poisoning attacks

Organizations should train their employees to be aware of these search result poisoning attacks and never run files with suspicious extensions. This can be applied via Group Policy to force open files with potentially dangerous script extensions such as .js, .vbs, .vbe, .jse, .hta, and .wsf with a text editor such as the Notepad rather than running them with the Microsoft Windows Based Script Host Program, which is the default Windows behavior.

Another non-technical tip offered by Deepwatch is to make sure employees have the agreement templates they need internally. More than 100 of the blog posts found on this compromised sports streaming site were about some sort of business-related model agreement. 34 others concerned contracts. Law, purchasing, taxation and legal were also common keywords. The fake thread technique has been in use since at least March 2021 and it still works, suggesting that attackers still consider it viable and returning a high success rate.

“Having a process where an employee can request specific patterns may reduce their need to search for the patterns and thus fall victim to these tactics,” the researchers said.

Copyright © 2022 IDG Communications, Inc.

Comments are closed.