Search This Blog

Malicious SEO Campaign is Leading Search Engine Users to JavaScript Malware

The campaign is targeting employees from several industries and government entities when they scan for specific words relevant to their work.


Threat analysts from security firm Deepwatch have unearthed a sophisticated search engine optimization (SEO) poisoning campaign targeting employees from several industries and government entities when they scan for specific words relevant to their work. Upon clicking on the malicious search outcomes, which are higher in ranking, the victims unknowingly download a popular JavaScript malware downloader. 

"Our findings suggest the campaign may have foreign intelligence service influence through analysis of the blog post subjects," researchers explained in a new report. "The threat actors used blog post titles that an individual would search for whose organization may be of interest to a foreign intelligence service e.g., 'Confidentiality Agreement for Interpreters.' The Threat Intel Team discovered the threat actors highly likely created 192 blog posts on one site." 

SEO poisoning modus operandi 

The researchers identified the malicious campaign while scanning an incident where one of the employees scanned for a “transition services agreement” on Google and ended up on a malicious site that offered them what seemed to be a forum thread where one of the customers shared a link to a zip archive. 

The zip archive included a file called "Accounting for transition services agreement" with a .js (JavaScript) extension that was a variant of Gootloader, a multi-staged JavaScript malware package that has been in the wild since late 2020. 

During the investigation of the site hosting the malware delivery page, the researchers realized it was a sports streaming distribution site. However, over 190 blog posts were hidden in their design on multiple topics relevant to professionals working in various industry sectors. These blog posts can solely be reached via Google search results. 

"The suspicious blog posts cover topics ranging from government, and legal to real estate, medical, and education," the researchers added. "Some blog posts cover topics related to specific legal and business questions or actions for US states such as California, Florida, and New Jersey. Other blog posts cover topics relevant to Australia, Canada, New Zealand, the United Kingdom, the United States, and other countries." 

Additionally, the hackers deployed a translation methodology that mechanically interprets and manufactures versions of these blog posts in Portuguese and Hebrew. Threat analysts attribute this malicious campaign to a group tracked as TAC-011 that has been active for a number of years and has likely exploited hundreds of authentic WordPress websites and may have generated thousands of individual blog posts to inflate their Google search rankings. 

Thwarting SEO poisoning assaults 

The researchers recommended organizations train their workers, remain vigilant regarding SEO poisoning assaults, and never open files with malicious extensions. Employees can use a text editor such as Notepad rather than open files with potentially risky script extensions such as .js, .vbs, .vbe, .jse, .hta, and .wsf rather than with the Microsoft Windows Based Script Host program, which is the default behavior in Windows. 

Furthermore, the security analysts advised organizations to make sure employees have the agreement templates they need available internally. Over 100 of the blog posts spotted on that one exploited sports streaming site were related to the business agreement template. The hackers have been employing fake forum thread methodology since at least March 2021, suggesting malicious actors still believe it as viable and a high success rate technique.
Share it:


Search Engine Users

SEO Campaign

SEO Poisoning

User Privacy

User Security