SEO poisoning campaign directs search engine visitors from multiple industries to JavaScript malware

The sophisticated campaign sends victims looking for business forms and templates to sites containing malicious files.

Researchers have discovered a high-effort search engine optimization (SEO) poisoning campaign that seems to be targeting employees from multiple industries and government sectors when they search for specific terms that are relevant to their work. Clicking on the malicious search results, which are artificially pushed higher in ranking, lead visitors to a known JavaScript malware downloader.

"Our findings suggest the campaign may have foreign intelligence service influence through analysis of the blog post subjects," researchers from security firm Deepwatch said in a new report. "The threat actors used blog post titles that an individual would search for whose organization may be of interest to a foreign intelligence service e.g., 'Confidentiality Agreement for Interpreters.' The Threat Intel Team discovered the threat actors highly likely created 192 blog posts on one site."

How SEO poisoning works

Deepwatch came across the campaign while investigating an incident at a customer where one of the employees searched for “transition services agreement” on Google and ended up on a website that presented them with what appeared to be a forum thread where one of the users shared a link to a zip archive. The zip archive contained a file called "Accounting for transition services agreement" with a .js (JavaScript) extension that was a variant of Gootloader, a malware downloader known in the past to deliver a remote access Trojan called Gootkit but also various other malware payloads.

Transition services agreements (TSAs) are commonly used during mergers and acquisitions to facilitate the transition of a part of an organization following a sale. Since they are frequently used, many resources are likely available for them. The fact that the user saw and clicked on this link suggests it was displayed high in ranking.

When looking at the site hosting the malware delivery page, the researchers realized it was a sports streaming distribution site that based on its content was likely legitimate. However, hidden deep in its structure were over 190 blog posts on various topics that would be of interest for professionals working in different industry sectors. These blog posts can only be reached via Google search results.

"The suspicious blog posts cover topics ranging from government, and legal to real estate, medical, and education," the researchers said. "Some blog posts cover topics related to specific legal and business questions or actions for US states such as California, Florida, and New Jersey. Other blog posts cover topics relevant to Australia, Canada, New Zealand, the United Kingdom, the United States, and other countries."

Furthermore, the attackers deployed a translation mechanism that automatically translates and generates versions of these blog posts in Portuguese and Hebrew. Some of the topics are highly specific and would lure victims from sectors that would be of interest to foreign intelligence agencies, for example bilateral air service agreements (civil aviation), intellectual property in government contracts (government contractors) or the Shanghai Cooperation Organization (individuals working in mass media, foreign affairs or international relations). The blog posts are not duplicates of other content from the web, which Google would likely catch and penalize in search results but are rather compiled from multiple sources giving the appearance of well-researched original posts.

"Given the herculean task of researching and creating hundreds of blog posts, one may assume that many individuals are working together," the researchers said. "However, this task may not be completely unfeasible for a lone individual despite the perceived level of effort needed to do this."

How TAC-011 and Gootloader enable SEO poisoning

Deepwatch attributes this campaign to a group they track as TAC-011 that has been operating for several years and which has likely compromised hundreds of legitimate WordPress websites and may have produced thousands of individual blog posts to inflate their Google search rankings.

Once a visitor clicks on one of the rogue search results, they're not taken directly to the blog post but instead an attacker-controlled script collects information about their IP address, operating system and last known visit and then performs a series of check before deciding whether to show them the benign blog post or the malicious overlay that imitates a forum thread. Based on the researchers' tests, users who received the overlay don't get it again for at least 24 hours. Visitors using known VPN services or Tor are not directed to the overlay and neither are those using operating systems other than Windows.

The zip file linked in the fake forum thread is hosted on other compromised websites that likely are controlled from a central command-and-control server. The researchers couldn't determine what additional payloads Gootloader deployed on victim machines as these are likely selected based on the victim's organization. The malicious JavaScript file also collects some information about the victim's machine including the “%USERDNSDOMAIN% variable which could expose the internal corporate domain name of the organization.

"For example, if a company with a Windows Active Directory environment and a computer logged into the organization’s network were compromised, the adversary would know that they have access to that organization," the researchers said. "At this point, the threat actor could sell access or drop another post exploitation tool like Cobalt Strike and move laterally in the environment."

Mitigating SEO poisoning attacks

Organizations should train their employees to be aware of these search result poisoning attacks and to never execute files with suspicious extensions. This can be enforced through Group Policy to force the opening of files with potentially dangerous script extensions such as .js, .vbs, .vbe, .jse, .hta and .wsf with a text editor such as Notepad rather than execute them with the Microsoft Windows Based Script Host program, which is the default behavior in Windows.

Another non-technical guidance offered by Deepwatch is to make sure employees have the agreement templates they need available internally. Over 100 of the blog posts found on that one compromised sports streaming site were about some sort of business-related agreement template. Another 34 were about contracts. Law, purchase, tax, and legal were also common keywords. The fake forum thread technique has been in use since at least March 2021 and it still works, suggesting attackers still view it as viable and returning a high success rate.

"Having a process where an employee can request specific templates may reduce their need to search for the templates and thus fall victim to these tactics," the researchers said.

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)