Threat Watch

New SEO Poisoning Campaign Distributing Trojanized Versions of Popular Software

A new campaign has been discovered using search engine optimization (SEO) poisoning to trick users into downloading BATLOADER malware. The SEO keyword themes used as part of the poisoning include terms like “free productivity apps installation” or “free software development tools.”

The malware hosted on these poisoned search result sites are an installer that contains both the legitimate software, such as Visual Studio or Zoom, and the BATLOADER payload. When executed, the malware payload triggers an infection chain using commonly abused Windows binaries to download and execute further payloads. Final payloads used during this campaign include Cobalt Strike beacons, Ursnif, SplashTop and ATERA to establish remote access and persistence, with further post-exploitation frameworks following. In some cases, ATERA was found to be the initial payload deployed, thus bypassing a majority of the infection chain and directly installing the final remote access payload.

This style of attack overlaps with the techniques utilized by the Conti ransomware gang, as disclosed in the documentation leak from a Conti affiliate last year. However, due to the public release of this information, it is likely that another unaffiliated actor is replicating Conti’s techniques to use for their own motives.

ANALYST NOTES

It is recommended to only download software directly from the application’s source, such as the official website or download repository. Downloading applications from third-party sources always runs the risk of the software not being what it says it is. For organizations, it is recommended to maintain a central repository of commonly used utilities that end users can install from. This prevents the need for the end user to search for the tool on the Internet. It is also recommended to include and maintain appropriate endpoint security controls, such as Endpoint Detection and Response (EDR) on all systems. Likewise, appropriate logging and monitoring of activity on endpoints can help detect attacks like this. The use of built-in Windows binaries and process execution chains used by this malware can help alert security personnel to potential malware execution. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with this detection need.

https://thehackernews.com/2022/02/new-seo-poisoning-campaign-distributing.html

https://www.mandiant.com/resources/seo-poisoning-batloader-atera