Cybersecurity experts have linked two active search engine optimization (SEO) poisoning campaigns, Gootloader and SolarMarker, to the REvil ransomware gang and to the SolarMarker backdoor, a highly modular .NET-based information stealer and keylogger. SEO poisoning consists of threat actors creating malicious websites and utilizing search engine optimization tactics to make them show up prominently in search results. When users visit the websites, they are prompted to download a file. Users that click the file are then redirected through a series of sites that ultimately drop a malicious payload.
In this instance, threat actors infiltrated legitimate WordPress sites that already had a good Google search ranking and exploited vulnerabilities found in the ‘Formidable Forms’ plug-in. Amongst the most targeted categories of websites, business sites ranked extremely high followed by Non-Profit organizations and Health and Medicine.
These campaigns are using a spray and pray approach, which can infect at a higher rate than targeting specific organizations. In return, smaller ransoms could add up to large payouts for these ransom gangs.
The high-ranking websites were exploited by a zero-day vulnerability, where a malicious PDF was uploaded into the ‘/wp-content/uploads/formidable/’ folder. To remediate this vulnerability, WordPress admins that use this plugin should upgrade to version 5.0.10 or later.