Cybersecurity researchers at Zscaler ThreatLabz have uncovered a concerning trend in which cybercriminals are exploiting popular web hosting and blogging platforms to disseminate malware and steal sensitive data. This sophisticated tactic, known as SEO poisoning within the realm of Black Hat SEO techniques, has been employed to manipulate search engine results, pushing fraudulent websites to the forefront of users' search queries, thereby increasing the risk of unwittingly accessing malicious content.
How They Operate
The cybercriminals orchestrating these operations have devised intricate strategies to evade detection and entice unsuspecting users into downloading malware. They fabricate fraudulent websites spanning a wide array of topics, ranging from pirated software to culinary recipes, often hosted on well-established platforms such as Weebly. By adopting the guise of legitimate sites, complete with endorsements like "Powered by Weebly," they exploit users' trust in reputable services to perpetrate their malicious activities.
The process commences with cybercriminals setting up sham sites on web hosting services, adeptly avoiding detection by both hosting providers and users. When individuals search for relevant content and click on links from search results, they unknowingly find themselves on these malevolent sites. To circumvent scrutiny from security researchers, the perpetrators implement evasion techniques, including scrutinising referral URLs. Should a user access the site directly, indicating a potential analysis, the site tactfully sidesteps redirection to preserve its cloak of invisibility.
The Payload Delivery System
Malicious payloads are secretly delivered through multi-layered zipped files concealed within seemingly innocuous content. For instance, an individual seeking cracked software may inadvertently download malware instead of the anticipated content. Upon execution, the malware puts together a sequence of activities, encompassing process hollowing and DLL sideloading, aimed at downloading additional malware and establishing communication with command-and-control servers.
Tricks to Avoid Detection
To further complicate their activities, threat actors employ techniques, including string concatenation, mathematical manipulation, and the utilisation of password-protected ZIP archives. These tactics serve to confound security measures, rendering the malicious code arduous to decipher and bolstering the malware's ability to slightly pass over detection.
Data Theft and Deceptive Tactics
Once ensconced within a system, the malware embarks on an mission to harvest extensive troves of data, encompassing system information, browser data, credentials, and browsing history. Additionally, it sets its sights on emails pertaining to cryptocurrency exchanges, adeptly modifying email content and intercepting one-time authentication codes to facilitate unauthorised access.
How To Protect Yourself?
Keeping in mind such campaigns, users are advised to exercise utmost caution when procuring software from unfamiliar sources and to prioritise visiting reputable websites. Staying abreast of emerging cybersecurity threats and securing defences with robust protocols can substantially mitigate the risk of succumbing to potential infections.
