Posted on February 3, 2022 at 6:21 PM

Threat Actors Are Using SEO Poisoning To Deploy Malware, Researchers Warn

Researchers at Sophos have discovered an ongoing search engine optimization (SEO) attack campaign that distributes malware as PDF files.

The threat actors involved in the campaign are abusing trusts in genuine software utilities to deceive users into downloading BATLOADER malware on compromised systems.

The report said the SolarMarker malware was behind the campaign. The information-stealing malware was first detected in 2020. SolaMarker is also used as a backdoor and was usually installed when victims visit a Google search result. The links are designed to trick the user into downloading a fake Windows installer that runs a PowerShell script.

The threat actor utilized “free software development tools installation” or “free productivity apps installation” themes are SEO keywords to deceive victims, according to the report.

The report also noted that the attackers’ techniques have some similarities with the method used by the Conti ransomware group, which was published in August last year.

The Campaign Has Been Very Effective

Although SEO poisoning is not a new technique, the threat actors have made this campaign very effective, which makes it stand out from other similar attacks.

The SEO attacking technique used a combination of both deceptive web pages and Google Groups discussions, as well as PDF documents hosted on compromised websites. The threat actors were sophisticated in their approach, as they placed the SolarMarket lures at the top of the search results, attracting many targets in the process.

Sean Gallagher, a senior threat researcher at SophosLabs, commented on the research findings. He stated that the threat posed by the SEO poisoning attack is unique because a large amount of the SEO poisoning does not come from individual operators but “downloader-as-a-service” operations.

He added that the SEO poisoning attack used to be a very common attack that is easily detected and subdued. But the technique has not been very common in recent times because it does not work well on targeted attacks. Most of the common poisoning attacks usually come along paid malware distribution services. Gallagher noted that these attacks usually come in the form of crypto-fraud malware operations or as a persuasive part of information-stealing malware.

The Malware Operators Used Three SEO Manipulation Methods

It is not common to see a malware operator creating their SEO poisoning infrastructure, which is exactly what has happened with the latest attack, Gallagher added.

The report also revealed that the malware operator used three SEO manipulation methods to deliver SolarMarker. In the first method, they set up Google Groups with about 600 fake posts and named them after different search items to get top ranking. The comments on the post contain PDF links that redirect to the malicious .msi installs.

The SolarMarker threat actors created a malware-infested PDF file in the second method. These files have SEO inscriptions that appear in search results, which redirects to a Windows installer. In the third method, the hackers used misleading WordPress sites that contain HTML code.

“The HTML source for these malicious pages contains link collections for other search terms,” the report noted. These malicious pages are linked to other malware-infested pages on the same infiltrated server.

Some of the search items the SolarMarker malware exploited include “handbook,” “application,” “worksheet,” and “university.”

The SolarMarker Threat Is Still Present

According to the report, the SEO poisoning was very effective such that all three listed methods had links for the search terms within the top 10 Google search results.

Sophos said the SolarMarker malware was first discovered in October last year. The research firm stated that the threats from the attack are still visible even though the campaign seems to have ceased.

The last download site the operators of the campaign used has been shut down, but the previous deployments are still active. The researchers revealed that there has been a reduction in the number of attacks since November last year, but the malware has not disappeared. This means that threat actors could resume a new campaign using a new infrastructure in a matter of time.

Reducing The Malicious SEO Poisoning

Gallagher responded in the affirmative when asked whether there is anything search engine operators can do to reduce the spread of the malware. He advised that search engine operators such as Google can tweak algorithms to target fraudulent sites. They can do this by targeting link farms of unrelated search terms on a page and then flagging as spam or demoting its page rank. They can also link deeper when indexing to find file downloads that are not related.