A new SEO poisoning campaign is underway, with the purpose of infecting targeted systems with the BATLOADER and Atera Agent malware. It appears to be aimed at professionals looking to download productivity applications such as TeamViewer, Zoom, or Visual Studio. SEO poisoning is a tactic used by hackers in cyberattacks to build up malicious websites loaded with certain keywords that visitors typically seek up in search engines. Then they use various SEO (Search Engine Optimization) techniques to make these appear prominently in search results.
According to a report by Mandiant researchers, in this malicious SEO campaign, threat actors attack legitimate websites in order to plant compromised files or URLs. Users are thus routed to websites that host malware posing as well-known applications.
“The threat actor used “free productivity apps installation” or “free software development tools installation” themes as SEO keywords to lure victims to a compromised website and to download a malicious installer. The installer contains legitimate software bundled with the BATLOADER malware. The BATLOADER malware is dropped and executed during the software installation process.” said the researchers.
“This initial BATLOADER compromise was the beginning of a multi-stage infection chain that provides the attackers with a foothold inside the target organization. Every stage was prepared for the next phase of the attack chain. And legitimate tools such as PowerShell, Msiexec.exe, and Mshta.exe allow proxy execution of malicious payloads to avoid detection,” they added.
A file called "AppResolver.dll" was discovered in the attack chain as a significant sample. This DLL sample is an internal component of Microsoft's Windows Operating System, but it contains malicious VBScript inserted in such a way that the code signature stays valid. When run on its own, the DLL sample does not execute the VBScript. When ran with Mshta.exe, Mshta.exe locates and executes the VBScript without error.
This vulnerability is similar to CVE-2020-1599 in that the PE Authenticode signature remains valid after appending HTA compatible scripts signed by any software developer. These PE+HTA polyglot (.hta files) can be used by Mshta.exe to circumvent security solutions that rely on Microsoft Windows code signing to determine whether or not files are trusted.
In this case, researchers discovered that arbitrary script data was attached to the signature section of a legitimately signed Windows PE file at the end of the ASN.1. As long as the file extension is not '.hta,' the resulting polyglot file retains a valid signature. If this polyglot file is executed with Mshta.exe, the script contents will be successfully executed since Mshta.exe will skip the PE's bytes, locate the script at the end, and execute it.
