An SEO poisoning campaign has surfaced that targets employees across industries, including the government sector, when they search for certain terms related to their work. Clicking on malicious links would lead users to a known JavaScript malware downloader.

The campaign

According to Deepwatch, in one of the instances, attackers created 192 blog posts for a website, not by copy-pasting random content but by gathering genuine content accumulated from several similar sites.
  • The attackers used blog post titles that an individual would search for whose organization may be looking for foreign intelligence service (e.g., Confidentiality Agreement for Interpreters).
  • If a user clicks on the malicious search results, which are pushed higher in ranks through SEO poisoning techniques, redirect visitors to download Gootloader malware downloader.
  • The blog topics referred to by threat actors generally are related to legal, real estate, medical, education, government, and more. Also, there were blogs addressing legal/business questions/actions for different U.S. states.

Researchers have linked the recent campaign to a threat group, TAC-011, active for several years. It targeted hundreds of WordPress websites to produce thousands of individual blog posts for SEO.

How does the attack work?

If a visitor clicks on one of the fake search results, they're taken to an attacker-controlled script that collects details about IP address, OS, and last known visit.
  • The script is used to carry out a series of checks before finalizing whether to display the users the benign blog post or a malicious overlay that impersonates a forum thread. 
  • Users receiving overlay don't get it again for the next 24 hours. Users using VPN services or Tor are not directed to the overlay, along with those using OS other than Windows.

Furthermore, the researchers couldn't identify additional payloads deployed by the victims and surmised that hackers are picky in the malware selection for a targeted organization.

What to do?

Organizations should provide training to their employees regarding search result poisoning attacks and avoid executing unknown files and suspicious extensions. Organizations can curb such access by enforcing Group Policy, allowing the opening of suspicious files with a text editor such as Notepad rather than the Microsoft Windows Based Script Host program (by default behavior in Windows).
Cyware Publisher