About the technique
SEO poisoning technique is used to trick users into downloading installers (for TeamViewer, Zoom, Visual Studio, and possibly other software) bundled with “Batloader” and “Atera”. Those installers are distributed using compromised websites that appear in search results after entering certain keywords. Those keywords include “free productivity apps installation” or “free software development tools installation”.
Poisoning search results
When a user clicks on the search engine link, they will be brought to the compromised site that includes a Traffic Direction System (TDS). Traffic Direction Systems are scripts that check for various attributes of a visitor and use that information to decide whether they should be shown the legitimate webpage or be redirected to another malicious site under the attacker’s control.
In similar campaigns in the past, the TDS would only redirect visitors if they came from a search engine result. Otherwise, the TDS would show the visitor the normal and legitimate website.
This technique helps prevent analysis by security researchers as it would only show the malicious behavior to those who arrived from a search engine.
If a visitor is redirected, the malicious site will show them a fake forum discussion where a user asks how to get a particular app, and another phony user provides a download link, as shown below.
How does the initial compromise look like?
When the downloaded program is executed, it will perform two different infection chains that drop malware payloads on the device.
The first infection chain starts with installing the fake software bundled with the Batloader malware, fetching and executing more payloads like Ursnif and Atera Agent.
The second infection chain drops Atera Agent directly, bypassing the malware loading stages. Atera is a legitimate remote management solution that is being abused for lateral movement and deeper infiltration.
In the first infection chain, the actors use MSHTA to execute a legitimate Windows DLL (AppResolver) laced with a malicious VBScript to change Microsoft Defender settings and add specific exclusions.
The PE Authenticode signature in the Windows file remains valid even though the actors have added their malicious code to it, which is a problem that Microsoft attempted to address with the CVE-2020-1599 fix.
What is CyberConvoy doing
to detect such kinds of attacks?
We have confirmed that our close to 1,000 detection scripts have sufficient coverage to detect such attacks.
We have rules in place that would detect this attack at the first stage of the initial compromise, where the downloaded DLL executes a malicious VBS that performs changes on the Anti Virus solution.
Further stages are covered as well being that we have rules to detect possible privilege escalation, reconnaissance, and credential harvesting.
Our team of analysts is continuously monitoring and running active simulations to ensure that this kind of activity would not go unnoticed.
Source: Bleeping Computer