Menlo Labs team has discovered two separate campaigns dropping REvil and SolarMarker backdoors. Both the campaigns are employing the SEO poisoning method to spread payloads in the systems of targeted victims.
Unfolding the attack
According to researchers, recent Gootloader and SolarMarket campaigns (disseminating REvil and SolarMarket backdoor, respectively) have been increasingly using SEO poisoning to target their victims.
The attackers inject WordPress-based sites with keywords covering 2,000 unique search topics and terms, including professional development evaluation, sports mental toughness, and industrial hygiene walk-through.
Malicious websites were optimized for these keywords on Google. As a result, the users were shown search results as PDFs, urging users to download the document.
Moreover, the redirects restrict sites from being removed from the search results.
Attackers’ PDF hosting technique
The campaign has used multiple locations to serve the malicious PDFs, with the U.S. topping the list, followed by Iran and Turkey.
The attackers mostly targeted sites in the business category that generally host PDFs as guides and reports.
Additionally, some well-known education and .gov sites were spreading malicious PDFs.
Hacking sites via the WordPress plugin
In these two campaigns, the attackers didn't create their own malicious sites, instead hacked WordPress sites with good search rankings.
These sites were hacked due to an undisclosed vulnerability in the Formidable Forms WordPress plugin.
The 5.0.07 version of the plugin was compromised, however, the vulnerability was fixed in version 5.0.10 and later.
The sudden rise in remote working has led to an increase in SEO-based attacks. Remote work involves open-internet searches via web browsers, which reasonably increase the chances of SEO-based manipulations. Therefore, experts recommend blocking all redirect sites being hosted on .site or .tk TLDs and file downloads from unknown sources.