An ongoing campaign of search engine optimization (SEO), poisoning attacks has been seen. It involves a misuse of trust in legitimate software to convince users to download BATLOADER malware onto compromised computers.
“The threat actor used ‘free productivity apps installation’ or ‘free software development tools installation’ themes as SEO keywords to lure victims to a compromised website and to download a malicious installer,” researchers from Mandiant said in a report published this week.
In SEO poisoning attacks adversaries artificially raise the search engine rank of websites hosting malware in order to show them at the top of search results. This allows users who search for particular apps such as Zoom, Visual Studio and TeamViewer to find malware.
The installer comes with legitimate software but also includes the BATLOADER paymentload which is executed during installation. The malware then acts as a stepping stone for gaining further insight into the targeted organization by downloading next-stage executables that propagate the multi-stage infection chain.
One of those executables is a tampered version of an internal component of Microsoft Windows that’s appended with a malicious VBScript. This attack uses a technique known signed Binary Proxy Execution in order to execute the DLL file with the legit “Mshta.exe”.
This results in the execution of the VBScript code, effectively triggering the next phase of the attack wherein additional payloads such as Atera Agent, Cobalt Strike Beacon, and Ursnif are delivered in the later stages to help perform remote reconnaissance, privilege escalation, and credential harvesting.
Another sign the operators tried out different strategies was that an alternate variant of the campaign brought the Atera remote monitoring software as a result of the original compromise. This is a signal of how the operators were open to trying new ploys.
Mandiant also called out the attacks’ overlaps with that of techniques adopted by the Conti ransomware gang, which were publicized in August 2021. “At this time, due to the public release of this information, other unaffiliated actors may be replicating the techniques for their own motives and objectives,” the researchers said.