Researchers have discovered a high-effort search engine optimization (SEO) poisoning campaign that appears to target employees from various industries and government sectors when they search for specific terms relevant to their work. Clicking on the malicious search results, which are artificially pushed higher in rankings, leads visitors to a known JavaScript malware downloader.
“Our findings suggest that the campaign may have foreign intelligence service influence by analyzing the topics of the blog post,” researchers from the security firm Deepwatch said in a new report. “The threat actors used blog post titles that an individual whose organization might be of interest to a foreign intelligence service would search for, e.g., ‘Confidentiality Agreement for Interpreters.’ created on one website.”
How SEO Poisoning Works
Deepwatch came across the campaign while investigating an incident at a customer where one of the employees searched for “transition services agreement” on Google and ended up on a website they presented with what appeared to be a forum thread where one from the users a link to a zip archive. The zip archive contains a file called “Accounting for Transition Services Agreement” with a .js (JavaScript) extension that was a variant of Gootloader, a malware downloader known in the past for a remote access Trojan named Gootkit, but also several other malware payloads.
Transition Services Agreements (TSAs) are commonly used during mergers and acquisitions to facilitate the transition of part of an organization to a sale. Since they are used frequently, there are probably many resources available for them. The fact that the user saw and clicked on this link indicates that it was featured high in ranking.
When they looked at the website hosting the malware delivery page, the researchers realized it was a sports streaming distribution site that, based on its content, was likely legitimate. However, hidden deep within its structure were more than 190 blog posts on various topics that would be of interest to professionals working in different industry sectors. These blog posts can only be reached via Google search results.
“The suspicious blog posts cover topics ranging from government and legal to real estate, medical and education,” the researchers said. “Some blog posts cover topics related to specific legal and business questions or actions for US states such as California, Florida and New Jersey. Other blog posts cover topics relevant to Australia, Canada, New Zealand, the United Kingdom, the United States , and other countries.”
Furthermore, the attackers deployed a translation mechanism that automatically translates and generates versions of these blog posts in Portuguese and Hebrew. Some of the topics are highly specific and will attract victims from sectors that would be of interest to foreign intelligence agencies, for example bilateral air service agreements (civil aviation), intellectual property in government contracts (government contractors) or the Shanghai Cooperation Organization (individuals) work in mass media, foreign affairs or international relations). The blog posts are not duplicates of other content from the web, which Google is likely to pick up and penalize in search results, but are instead compiled from multiple sources that give the appearance of well-researched original posts.
“Given the large task of researching and creating hundreds of blog posts, one can assume that many individuals are working together,” the researchers said. “However, this task may not be completely unfeasible for a solitary individual, despite the perceived level of effort required to do it.”
How TAC-011 and Gootloader Enable SEO Poisoning
Deepwatch attributes this campaign to a group they track as TAC-011 that has been operating for several years and has likely compromised hundreds of legitimate WordPress sites and potentially produced thousands of individual blog posts to boost their Google search rankings bladder.
Once a visitor clicks on one of the rogue search results, they are not taken directly to the blog post, but instead an attacker-controlled script collects information about their IP address, operating system, and last known visit, then performs a series of checks before deciding whether to show them the benign blog post or the malicious overlay impersonating a forum thread. Based on the researchers’ tests, users who received the overlay don’t get it again for at least 24 hours. Visitors using well-known VPN services or Tor are not directed to the overlay, nor are those using operating systems other than Windows.
The zip file linked in the fake forum thread is hosted on other compromised websites that are likely controlled from a central command and control server. The researchers were unable to determine which additional payloads Gootloader deployed on victim machines, as these are likely chosen based on the victim’s organization. The malicious JavaScript file also collects information about the victim’s machine, including the “%USERDNSDOMAIN% variable that can expose the internal corporate domain name of the organization.
“For example, if a company with a Windows Active Directory environment and a computer logged into the organization’s network is compromised, the adversary will know they have access to that organization,” the researchers said. “At this point, the threat actor can sell access or abandon another post-exploit tool like Cobalt Strike and move laterally into the environment.”
Mitigating SEO Poisoning Attacks
Organizations should train their employees to be aware of these search result poisoning attacks and to never export files with suspicious extensions. This can be enforced by Group Policy to force the opening of files with potentially dangerous script extensions such as .js, .vbs, .vbe, .jse, .hta and .wsf with a text editor such as Notepad rather than running them with the Microsoft Windows-based script host program, which is the default behavior in Windows.
Another non-technical guidance offered by Deepwatch is making sure employees have the agreement templates they need available internally. More than 100 of the blog posts found on that one compromised sports streaming site were about some sort of business-related agreement template. Another 34 were about contracts. Law, purchase, tax and law were also common keywords. The fake forum thread technique has been in use since at least March 2021 and continues to work, suggesting that attackers still see it as viable and delivering a high success rate.
“Having a process where an employee can request specific templates can reduce their need to search for the templates and thus fall victim to this tactic,” the researchers said.
Copyright © 2022 IDG Communications, Inc.
