Security News > 2022 > February > New SEO Poisoning Campaign Distributing Trojanized Versions of Popular Software

An ongoing search engine optimization poisoning attack campaign has been observed abusing trust in legitimate software utilities to trick users into downloading BATLOADER malware on compromised machines.

"The threat actor used 'free productivity apps installation' or 'free software development tools installation' themes as SEO keywords to lure victims to a compromised website and to download a malicious installer," researchers from Mandiant said in a report published this week.

In SEO poisoning attacks, adversaries artificially increase the search engine ranking of websites hosting their malware to make them show up on top of search results so that users searching for specific apps like TeamViewer, Visual Studio, and Zoom are infected with malware.

The installer, while packing the legitimate software, is also bundled with the BATLOADER payload that's executed during the installation process.

The attack subsequently leverages a technique called signed binary proxy execution to run the DLL file using the legitimate "Mshta.exe" utility.

What's more, in a sign that the operators experimented with different ploys, an alternative variant of the same campaign delivered the Atera remote monitoring management software directly as a consequence of the initial compromise for further follow-on post-exploitation activities.

News URL

https://thehackernews.com/2022/02/new-seo-poisoning-campaign-distributing.html