The clever operation directs people looking for business templates and forms to websites that are hosting dangerous files. Researchers have found a high-effort SEO poisoning campaign involves workers in various business and governmental sectors. They look up specific terms related to their jobs. Visitors clicking the harmful artificially pushed ranking search results are taken to a site that downloads known JavaScript malware.

The clever operation directs people looking for business templates and forms to websites that are hosting dangerous files. Researchers have found a high-effort SEO poisoning campaign gone against workers in various business and governmental sectors. They also looked up specific terms related to their jobs. Visitors who click on the harmful search results that have been artificially pushed up in ranking are taken to a site that downloads known JavaScript malware.

How SEO poisoning works

With a client, Deepwatch stumbled across the campaign when one of the staff members Googled “transition services agreement”. And got up on a website that displayed what appeared to be a forum topic where one of the users gave a link to a zip archive. A file with the name Accounting for transition services agreement and the extension.js (JavaScript) was contained in the zip archive. This has a variant of Gootloader, a malware downloader previously spread the remote access Trojan Gootkit and also other payloads.

In mergers and acquisitions, transition services agreements (TSAs) are frequently used to make it easier to transition a piece of a company after a sale. They probably have access to a lot of resources because they are used regularly. The fact that the user noticed and selected this link indicates that it was prominently presented.

The researchers discovered the website hosting the virus delivery page was a sports streaming distribution site that was probably authentic based on its content when they looked at the website. Though over 190 blog entries on various subjects that would be of interest to experts working in various industry sectors were buried deep within its structure. Only Google search results can be used to access these blog content.

The researchers noted that the suspicious blog entries “include areas ranging from government and legal to real estate, medical, and education.” “A few blog postings discuss issues pertaining to certain legal and commercial issues or actions for US states like California, Florida, and New Jersey. Topics pertinent to Australia, Canada, New Zealand, the United Kingdom, the United States, and other nations are covered in separate blog posts.”

The Translations

Additionally, the attackers set up a translation engine that produces versions of these blog articles in Hebrew and Portuguese automatically. The topics include bilateral air service agreements (civil aviation), intellectual property in government contracts (government contractors), and the Shanghai Cooperation Organization, among others, and could entice victims from industries of interest to foreign espionage organizations (individuals working in mass media, foreign affairs or international relations). The blog entries are composed from a variety of sources, providing the impression of well-researched unique posts, rather than being copies of other web content, which Google would probably detect and penalise in search results.

Researchers said, “one may conclude that many individuals are working collaboratively given the mammoth undertaking of researching and generating hundreds of blog articles”. Despite the seeming level of effort required to execute this undertaking may not be absolutely unachievable for a lone individual.

How TAC-011 and Gootloader enable SEO poisoning

This campaign has been attributed by Deepwatch to a TAC-011-monitored gang that has been active for a while, hijacked hundreds of legitimate WordPress websites. They may have written thousands of individual blog articles to boost their Google search rankings.

When a user clicks on one of the fake search results, they are not immediately taken to the blog post. Instead, an attacker-controlled script gathers data on the user’s IP address, and operating system. Most recent visit before running a number of checks to determine whether to display the good blog post.

Users who received the overlay didn’t receive it for at least 24 hours, according to studies conducted by the researchers. Visitors who use Tor or well-known VPN services are not forwarded to the overlay, nor are users of other operating systems than Windows.

The hijacked websites hosting the zip file that is linked in the false forum discussion are probably under the control of a centralized command-and-control server. The additional payloads that Gootloader installed on target PCs were not identifiable by the researchers. Since they were probably chosen based on the victim’s organization. Additionally, the malicious JavaScript programme gathers certain data about the victim’s computer. That includes the “%USERDNSDOMAIN% variable, which could reveal the company’s internal corporate domain name.

The adversary would be aware that they have access to that organization, the researchers claimed. For instance, a business with a Windows Active Directory system and a computer logged into the corporation’s network were infiltrated. Now, the threat actor could migrate laterally throughout the environment or sell access to another post-exploitation tool like Cobalt Strike.

Mitigating SEO poisoning attacks

Employers should educate their staff in searching result poisoning attacks and remind them never to open files with unknown extensions. Group Policy can be used to enforce this so that, contrary to Windows’ usual behavior, files with script extensions. These extensions include, like.js,.vbs,.vbe,.jse,.hta, and.wsf are opened with a text Notepad rather than the Microsoft Windows Based Script Host software.

Make sure that employees have access to the agreement templates they require internally. This is yet another non-technical piece of advice from Deepwatch. On one single hijacked sports streaming website, there were over 100 blog posts concerning various business-related agreement templates.

34 more were related to contracts. Other popular search terms included legal, tax, purchasing, and law. Since at least March 2021, the phoney forum thread technique has been used and is still effective. This indicates that attackers still believe it to be useful and have a high success rate.

According to the researchers, “having a mechanism employee may request templates may lessen their need to hunt for the templates. And so fall prey to these strategies.”