Hackers use blackhat SEO techniques to manipulate search engine rankings and make malicious or fraudulent websites more visible.
Recently, Zscaler cybersecurity researchers witnessed a wave of fraudulent sites hosted on popular web hosting services and blogging platforms that threat actors use for SEO poisoning and malware distribution.
Legitimate hosting platforms allow attackers to quickly conduct SEO poisoning attacks and artificially boost the rankings of harmful content on search results pages.
The following websites appear to be legitimate. However, it contains malware that uses search results to trick people into downloading malicious software.
Attackers create fake sites that go unnoticed by hosting services.
When users search and click on links, they are unknowingly directed to malicious sites. Direct access to the URL may be skipped as it may be subject to security analysis.
These sites check the referring URL and continue if it comes from a search engine. However, if it can be accessed directly without redirection, it must not evade detection by researchers.
According to Zscaler researchers, the hidden script examines the referrer and redirects based on string concatenation and mathematical operations that obfuscate the logic.
It is aimed at people looking for cracked software and displays a fake MediaFire page hosted on Weebly. Although this page looks genuine, it offers malware rather than a crack.
Although they look identical at first glance, fake non-MediaFire URLs are more than fake.
The downloaded payload contains a nested password-protected ZIP archive, with the password hidden within the image to avoid detection.
The installer uses DLL sideloading to drop the malicious DLL along with the legitimate GPG (GNU Privacy Guard) software.
It launches explorer.exe by internalizing the process and injecting malicious code via an undocumented API call.
Explorer.exe runs PowerShell with obfuscated arguments and downloads an encoded script that performs deobfuscation including substitutions, Base64 decoding, and XOR operations before execution.
Multiple layers of obfuscation hide malicious activity. Replaced Base64 files are replaced with special characters to avoid detection and then decoded.
This includes multiple layers of obfuscation with encoded sections and self-decrypting scripts.
When executed, it creates shortcuts that load harmful browser add-ons and drop their files as well.
It communicates with the command and control server (C2) and downloads a malicious payload that is executed by rundll32.exe.
The extension steals a huge amount of data from the browser and system and user information while searching for C2 domains via Bitcoin addresses on blockchain.info before performing the exfiltration.
The following describes the types of data collected by malicious extensions.
- System information
- browser cookies
- browser fingerprint
- qualification
- machine information
- browser extensions
- Extension permissions
- cookie
- Browser history
This campaign exploits user trust by poisoning search engines through Black Hat SEO and leveraging potentially trustworthy fake websites to distribute malware.
Attackers' goal is to manipulate search results to make money, so to prevent this, you should avoid downloading software programs from questionable websites and only obtain them from trusted sources.
Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training ->
Try Free DemoÂ