SEO poisoning campaign hinders your Zoom and TeamViewer installations with BATLOADER malware

A cyber security The company recently uncovered a search engine optimization (SEO) poisoning campaign designed to trick users into installing malware on their computers. The campaign works by taking advantage of various SEO techniques, such as cramming tons of keywords into the source code of various malicious web pages, in order to place these web pages at the top of search results for various productivity apps. downloadable for free.

Mandiant’s team discovered that this campaign has two different chains of infection. The first infection chain targets users looking for software bundles. A user who searches for something like “installation of free software development tools” may see a compromised website among the search results on the first page and visit that site. If the user downloads and runs the software installer from the compromised site, it will install legitimate software, but BATLOADER comes bundled with this software. malware.

Once the BATLOADER malware is executed as part of the installation process, a multi-step chain of infection begins, where each step involves downloading and executing an additional malicious payload. One of these payloads contains malicious VBScript embedded in a legitimate internal Windows component, AppResolver.dll. Despite the malicious VBScript, the sample DLL’s code signature remains valid, which is a problem that Microsoft attempted to resolve with a patch for CVE-2020-1599.

In a later step in this attack chain, the malicious payload installs additional malware, as well as the ATERA. However, the second attack chain skips the previous steps and installs ATERA directly.

Fake bulletin board with a download link for a malicious package.

This second attack chain targets users looking for specific software, rather than software bundles. When a user searches for “TeamViewer free install”, for example, one of the top results will be linked to a compromised website that abuses a traffic directing system (TDS). The TDS will attempt to direct unsuspecting users to a malicious website, while displaying a legitimate web page to security researchers trying to track down malware.

Users directed to the malicious website will find a message board with a download link for what appears to be legitimate software, but is actually the ATERA Agent installation package. ATERA is a legitimate remote monitoring and management (RMM) software, but the threat actors in this case use it to run pre-configured scripts, perform malicious tasks, install persistent malware and finally uninstall themselves, an after his work is finished.

According to Mandiant, some of the attack chain activity overlaps with the techniques used in CONTI ransomware operations. The threat group behind this SEO poisoning campaign may replicate CONTI techniques, relying on training materials, playbooks and tools that were leaked by a disgruntled CONTI affiliate in August 2021 .

Mandiant’s report about the SEO poisoning campaign contains more details, including some of the malicious domains used in the campaign, as well as the MD5 hash values ​​of the malicious packages used in the campaign.


Comments are closed.