Tracking malware delivered by SEO Poisoning targeting multiple sectors in UK & EU (Precursor Security SOC)

The Tip-Off

Precursor were recently engaged by an organisation in need of assistance, following a tip-off from the National Cyber Security Centre(NCSC) that a device in their network is known to be infected with malware. The invaluable notification allowed the organisation to react in time to prevent a ransomware breakout. The malware was delivered via a novel technique known as SEO Poisoning.

The Malware - Gootloader

Precursor Security’s Incident Response services were engaged to investigate further, providing expert digital forensics & incident response. The team uncovered a malicious .zip file in the users downloads directory, containing a malicious JavaScript (.js) file. The script was retrieved for further analysis whilst the delivery mechanism of the malware was then investigated. This malware is known as ‘Gootloader’.

Delivery of Malware via SEO Poisoning

‍

What is SEO Poisoning?

SEO Poisoning is the technique employed by malicious actors whereby they aim to display hijacked websites at the top of search engine results to lure/trick users into downloading malware from them. There are two known methods:

• Malvertising – Having websites show in the ‘ads’ section of search engines, which guarantees them to show at the top.
• Search term poisoning– Using genuine SEO techniques to have websites show in the top results for targeted search terms.

Malicious actors tend to hijack vulnerable websites with good SEO ratings and create fictitious pages to host their malware download links. This technique of acquiring infrastructure also provides other offensive benefits such as being able to bypass web and email gateway filters due to characteristics such as:

• Domains being ‘aged’
• Websites having a historically good standing order

‍

Confirming the Delivery

Our DFIR team acquired digital evidence from the device to investigate further. The team uncovered the SEO poisoning during analysis of the browser history artefacts which lead the to a malicious website to download a .zip file matching the details of the recently found .zip file on disk.

‍

Uncovering a Sophisticated & Targeted Campaign

Upon the discovery of the malicious website, the team performed in-depth analysis in a private sandbox environment uncovering the following criteria which is applied when visiting the website:

There is code that checks if:

• The client has been redirected from a search engine
• The client device is Windows and not a tablet/mobile
• The client geolocation is an English-speaking country
• The client device has never visited this website before

Providing this criterion was a ‘pass’, you would be displayed a malicious version of the page, otherwise, a fictitious version. The malicious version tends to be the same apart from the words/narrative of the text linking to the search term that the user searched for.

See below, the search term leading to the malicious version, then the fictitious version which is generated because the sub-criteria no longer matches “The client device has never visited this website before”.

As you can see below, this is a screenshot of the malicious version which leads to a convenient ‘direct download link’ for the term the user searched for

However, if the criteria didn’t match, the user is then shown a basic ‘blog’ looking page with no download links:

Over 15 targeted search terms were found by inspecting the ‘Googleon’ section of the HTML behind the website:

The team analysed the malicious javascript file found inside the .zip, uncovering a further 2 ‘Command & Control’ servers and more targeted search terms in their respective HTML code. It was also confirmed that all 3 websites were hijacked and vulnerable Wordpress websites, the genuine owners and hosting providers were notified.

‍

A general victimology of these search terms is understood to be commercial, legal, real estate and financial sectors. There were references to European, UK and US terms in these search terms.

‍

Summary

Precursor Security’s Incident Response service swiftly uncovered a sophisticated malware delivery campaign that could’ve led to ransomware, data loss and extortion if not handled promptly. Organisations should remain diligent and aware of the evolving threat of how ransomware can manifest to ensure security controls are effective.

‍

Indicators of Compromise

Zip file MD5: 0CE5B9D617071A7CE14ACBBDCD3A77BD

JS File MD5: d7288e1331de97816dbbf904240ef140

Second Dropped File MD5: 7e90c927b80523c27e857ff262a171e0

‍

Targeted Search Terms

Sample Commercial Rent Agreement

Money Agreement Document

[redacted] Data Processing Agreement

Rent Free Lease Agreement

Trade Agreements Greece

How Should the Pronoun Agreement in This Sentence Be Changed If at All

Confirmation of Verbal Agreement Sample

Reciprocal Agreement Definition in Business

Alumni Agreement

What Articles Should Be Included in a Partnership Agreement

Royalty Purchase Agreement

Hedging Currency Risk with Forward Contracts

Exclusive Agency Agreement Sample

[redacted] Licensing Agreement

[redacted] Bird Agreement

Agreement Negotiation Skills

Apartment Owners Association Lease Agreement

Good Friday Agreement Images

Marketing Contractor Hourly Rate

Letter to Terminate Contract with Letting Agent

‍

Additional Server 2:

Mortgage Agreement in PrincipleOnline [redacted]

Login to [redacted] InstallmentAgreement

Subject Verb Agreement Class 6Pdf

Persuasive Agreement Meaning

Data Processing Agreement Po

Leave and License AgreementDownload Word Format

Eu-Vietnam Free Trade AgreementDelayed to 2020

Agreement [redacted]

Earlier Agreement

Employment Contract Side LetterTemplate

Co-Investment Agreement

Residential Schools Settlement Agreement

What Do You Mean by General Agreement

Fence Encroachment Agreement

Who Can Sign a Business Associate Agreement

Joint Venture Agreement Nsw

Can a 16 Year Old Get a Contract Phone

Settlement or Agreement

Canceling a Lease Agreement

Sweet Agreement