Ransomware gangs use SEO poisoning to infect visitors

Researchers have noticed two campaigns linked to both the REvil ransomware gang or the SolarMarker backdoor that use SEO poisoning to serve payloads to targets.
SEO poisoning, often known as “search poisoning,” is an assault methodology that depends on optimizing web sites utilizing ‘black hat’ SEO strategies to rank greater in Google search outcomes.
Due to their excessive rating, victims who land on these websites imagine they’re reputable, and actors take pleasure in a heavy inflow of visitors who search for particular key phrases.
SEO for ransomware
According to the findings of the Menlo Security staff, SEO poisoning by malware distributors is on the rise, with two notable examples being the Gootloader and SolarMarket campaigns.
The actors inject websites with key phrases that cowl over 2,000 distinctive search phrases, together with “sports activities psychological toughness,” “industrial hygiene walk-through,” “5 ranges {of professional} growth analysis,” and extra.
The optimized websites seem in search outcomes as PDFs that, when visited, immediate a person to obtain the doc, as proven beneath.

​Malicious web site prompting a customer to obtain a PDF documentSource: Menlo Security
When they click on on the obtain button, the customers are redirected by means of a sequence of web sites that in the end drop a malicious payload.
The menace actors use these redirects to stop their websites from being faraway from the search outcomes for internet hosting malicious content material.
In these specific campaigns, the menace actors have been both dropping REvil through Gootloader or the SolarMarker backdoor.
Exploiting a WordPress plugin vulnerability
In the 2 campaigns noticed by the researchers, the actors did not create their very own malicious websites however as a substitute hacked reputable WordPress websites that already had a superb Google search rating.
The websites have been hacked by abusing an undisclosed flaw within the ‘Formidable Forms’ WordPress plugin, which the hackers used to add laced PDF into the ‘/wp-content/uploads/formidable/’ folder.
If you’re utilizing this specific plugin, upgrading to model 5.0.10 or later is advisable, despite the fact that 5.0.07 was the newest model noticed within the compromised set.
The business verticals for the kinds of websites compromised on this marketing campaign are proven within the chart beneath.

Types of web sites compromised with laced PDF filesSource: Menlo Security
As you possibly can see from the picture above, the attackers closely focused websites within the enterprise class, seemingly as a result of they generally host PDFs within the kind of guides and studies.
Spreading a wider internet
When trendy encrypting ransomware first launched in 2012, menace actors would unfold a large internet of their assaults within the hopes of infecting as many individuals as doable.
As ransomware gangs are actually concentrating on excessive worth corporations for multi-million greenback payouts, this spray and pray method isn’t seen as usually as you seemingly will infect customers who wouldn’t be prepared to pay massive ransoms.
However, BleepingComputer is aware of of 1 REvil affiliate who carried out wide-scale assaults to infect customers and small companies alike.
Instead of demanding a whole bunch, if not thousands and thousands of {dollars} as ransoms, this affiliate would demand between $1,500 and $7,500.
While it’s not identified if this affiliate utilized SEO poisoning assaults, this sort of assault would have match their mannequin of indiscriminately concentrating on any form of victims.


Recommended For You