SEO Poisoning delivering MSIX Installer Malware

Introduction

The Precursor Managed Detection & Response (MDR) team track many cyber threats, we have recently identified a persistently growing adversary in SEO poisoning. These attacks rely on abusing Search Engine Optimisation(SEO) to match on certain keywords their targeted victims may search for. Recently, our Incident Response team recently responded to a sophisticated incident which targeted the education and legal sector across Europe.

In this blog, Nathan Burke, one of our MDR SOC Analysts will dissect a recently discovered campaign targeting victims looking for AnyDesk and Notion websites.

Discovery

Precursor collects intelligence from a variety of sources, including but not limited to network traffic analysis, threat intelligence feeds, and open-source intelligence (OSINT). Through this comprehensive approach, Precursor discovered reports related to the following domains:

• amydlesk[.]com
• notlilon[.]co
• notliion[.]com

These domains are examples of Typosquatting, which is a typeof cyber-attack where a threat actor registers a domain name that contain common misspellings or variations of popular or legitimate domain names. The goal is to exploit common typing errors made by users when entering web addresses. For example, a user intending to visit "example.com" might accidentally type "exampel.com". In this case the addresses being typosquatted are Anydesk.com and Notion.com

Analysis

Using any run to visit the sites only amydlesk[.]com andnotliion[.]com allow a connection. Both URLs masquerade as anydesk.com posing as the ‘real’ site. However, when attempting to visit any other page on the site you are directed to a URL page not found. The exception to this is when visiting the help centre, this redirects to the official anydesk web page.

The website’s domain is hosted in the Russian Federation with the IP address of 45[.]93[.]20[.]93 as confirmed on URLscan.io.  

Clicking on any of the download buttons triggers a script to be ran which automatically attempts to download a MSXI file. Checking the network tab using chrome dev tools shows that a GET request sent to https[:]//amydlesk[.]com/download/dwnl[.]php which then initiates the download located athttps[:]//monkeybeta[.]com/build/AnyDesk-x86[.]msix

When visiting monkeybeta[.]com/build, I encountered an error message indicating that I was not authorised to view the page. This corresponds to an HTTP 403 Forbidden error code. Visiting monkeybeta[.]com had no useful information and is likely just the hosting server for the malicious files.

The Rise of MSIX Installer Malware

The surge in MSIX installer malware can be attributed to the global shift towards remote work, with individuals increasingly reliant on popular applications like Zoom and AnyDesk to facilitate virtual collaboration.As remote work becomes more prevalent, treat actors will make use of this trend by distributing malicious MSIX installers disguised as legitimate software downloads. Microsoft have disabled the MSIX ms-appinstaller protocol twice already to fix vulnerabilities that allowed threat actors to use legitimate code-sign certificate software that was acquired illicitly which made the packages appear to have come from legitimate sources. "Threat actors have likely chosen the ms-appinstaller protocol handler vector because it can bypass mechanisms designed to help keep users safe from malware, such as MicrosoftDefender SmartScreen and built-in browser warnings for downloads of executable file formats," Microsoft said.

How Precursor SOC detects this threat

Endpoint Detection and Response (EDR) solutions are pivotal in combating MSIX installer malware. By continuously monitoring endpoint activities and scrutinising behaviour patterns, EDR solutions can swiftly flag suspicious activities linked to MSIX files. These may include unauthorised installations, file alterations, or unusual process executions. Moreover, leveraging Sysmon, a component of the Sysinternals suite, provides deeper insights into system-level activities. By configuring Sysmon to monitor specific events tied to MSIX installer activity—such as process creation, file alterations, and network connections—the SOC can swiftly identify and analyse potential indicators of compromise (IOCs) associated with MSIX malware.Proactively collecting and analysing threat intelligence sources further bolsters detection capabilities. This involves gathering indicators of compromise (IOCs), malware signatures, and known attack patterns related toMSIX installer malware. By integrating threat intelligence feeds from reputable sources like industry-specific Information Sharing and Analysis Centres (ISACs)and threat intelligence platforms, the SOC remains vigilant against emerging threats and updates detection mechanisms accordingly. Additionally, monitoring network traffic for specific indicators of compromise (IOCs) associated withMSIX installer malware, such as suspicious domain names, IP addresses, or communication protocols, aids in early detection and mitigation. LeveragingNetwork Intrusion Detection Systems (NIDS) and next-generation firewalls(NGFWs) equipped with threat intelligence capabilities enables automatic identification and blocking of connections to known malicious domains or IP addresses associated with MSIX malware distribution. This multi-faceted approach ensures robust protection against the evolving threat landscape posed by MSIX installer malware.

Summary

SEO poisoning is a rising threat that demonstrates a clear ability to circumvent popular endpoint protection and web filtering controls, due to its evasive nature and ability to acquire infrastructure via compromised Wordpress websites. Organisations should perform training and awareness exercises around the threats of malvertising and SEO poisoning. Moreover, organisations should review their capability/readiness to respond to such a threat.

‍

References

Wateringhole attacks - NCSC.GOV.UK

NCSC - NCSC.GOV.UK