Hackers pollute SEO results and manipulate search engine rankings by misdirecting users to malicious sites.
They aim to exploit vulnerabilities and inject malicious code or links into legitimate websites to draw more attention to their deceptive content.
Recently, cybersecurity researchers at DFIR Reporting Service discovered that hackers are actively contaminating SEO results to deploy Gootloader malware and real RDP access.
Analyze malware files, networks, modules, and registry activity. ANY.RUN Malware Sandboxand the Threat intelligence lookup This allows you to interact directly with the OS from your browser.
Hacker Venom SEO Results
In February 2023, someone searched for “implied employment contract” due to harmful SEO results set by Gootloader.
In a fake forum for downloads, users fell into the trap by clicking on the link. As soon as I opened it, a program named Gootloader launched and displayed a file that vouched for its existence.
The next step was to run a PowerShell script to connect to the remote endpoint.
However, Windows Defender blocked the lateral movement on subsequent attempts. Despite the trap, the attackers completed their mission and used SystemBC to compromise a domain controller.
Backups and sensitive information were then accessible using RDP methods until deletion was attempted.
Users visited an SEO-tainted website and were directed to a suspicious forum link about downloading an “implied employment contract.”
This seemingly harmless document was actually a GootLoader loader inside a zip archive. The virus executed a JavaScript chain that created a scheduled task and executed an obfuscated script.
The PowerShell script facilitated the infection in the following ways:-
- Svchost.exe
- Wscript.exe
- Cscript.exe
- Powershell.exe
Some servers returned an HTTP 405 response code. However, one of them was a weaponized server named 46.28.105.[.]Trigger Gootloader via URL94.
The final download included various versions of Gootloader stage 1 (obfuscated DLL), stage 2 (exe file), and scripts written to both registries.
Stage 1 deobfuscated Stage 2 and loaded the Cobalt Strike Beacon. Apparently Cobalt Strike's “getsystem” command was used to generate a cmd from the DLLHOST for elevation purposes.
A logon session was started using credentials collected by the 'logon type 9' and 'seclogo' authentication methods. Restricted admin mode is now turned on to allow hash logins.
RDP connections may be allowed by making changes to the registry.
In addition to this, distribution of Cobalt Strike beacons in remote service creation is done through various payloads.
In addition to password-related documents included in credential access, Wordpad was also used to access other sensitive files. Apart from this, contracts and other legal related files and folders were also among the interesting files.
Block malware such as Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. Perimeter81 Malware Protection. All of these are extremely harmful and can cause havoc and damage your network.
Stay up to date with cybersecurity news, whitepapers, and infographics. Follow us on LinkedIn. twitter.