Cybersecurity experts from Menlo Labs identified two ransomware campaigns that distributed REvil and SolarMarker backdoors on the targeted networks by using SEO poisoning. The two campaigns, tracked as Gootloader and SolarMarker, are deploying ransomware backdoors employing SEO poisoning techniques.
What is SEO Poisoning?
SEO poisoning, also known as search poisoning, is an old attacking strategy in which threat actors create malicious websites and use different SEO techniques to make them appear on top in search results. In SEO poisoning, attackers use keyword stuffing, PDF documents, hidden text, and cloaking to manipulate the search rankings and redirect the victims to unwanted applications, phishing sites, malware links, and adware.
Gootloader and SolarMarker Infection Chain
Researchers stated that they have observed over 2,000 unique search terms that led to malicious websites, which automatically deploy malware on the victims’ devices. Threat actors inject malicious websites with trending keywords that users search for. The most used search terms/keywords include:
- Blue-jacket-of-the-quarter-write-up-examples
- Industrial-hygiene-walk-through-survey-checklist
- 5-levels-of-PD-eval
- Sports Mental Toughness Questionnaire
In addition to these two campaigns, the researchers have identified a rise in attacks designed to bypass the traditional security measures by exploiting the bugs in web browsers and browser capabilities. The compromised browsers are then used to spread malware and ransomware, and steal credentials from the targets.
How the Attack Works
Threat actors usually hide the malware into the websites that redirect the users to the fraudulent websites that host malware backdoors. When a user clicks on the SEO poisoned link, it redirects to the malicious PDF docs and HTTP redirections, after which a malicious payload is downloaded onto the endpoint. Menlo Labs has observed three different payload sizes being downloaded in this campaign. The smallest payload was about 70MB, while the largest was about 123MB.
“All the compromised sites hosting the malicious PDFs were observed to be WordPress sites. Most of the sites were benign sites that were compromised to host the malicious content. During our analysis, we found some well-known educational and .gov websites serving malicious PDFs. As part of our commitment to ensuring a safe Internet, we notified all the affected parties, and these malicious PDFs were taken down,” the researchers said.
Exploiting WordPress Plugins
In the two campaigns, the attackers did not create malicious websites, instead compromised original WordPress sites with good Google search rankings. The sites were compromised by exploiting an undisclosed vulnerability in the Formidable Forms WordPress plugin of the 5.0.07 version. However, the flaw is now fixed in version 5.0.10 and later.
Conclusion
Most employees spend maximum time on web-browsers, searching for information or using applications. New browser risks like SEO poisoning and other SEO-based manipulations pose a severe security threat to organizations globally. Blocking Windows executable file downloads from unknown sources is highly recommended.