Researchers have discovered two operations that leverage SEO poisoning to deliver payloads to targets. They are tied to either the REvil ransomware gang or the SolarMarker backdoor.
SEO poisoning, often known as “search poisoning,” is a type of attack that involves employing “black hat” SEO practices to boost a website’s ranking in Google search results.
Victims who visit these sites assume them as authentic because of their high rating. And, actors benefit from a large stream of visitors searching for certain keywords.
As per the team of Menlo Security, SEO poisoning via malware distributors is rising, with two major instances being the Gootloader and SolarMarket campaigns.
Threat actors insert over 2,000 unique search terms into the sites, such as “sports mental toughness,” “five stages of professional development evaluation,” “industrial hygiene walk-through,” and more.
The optimized sites display in search results as PDFs that encourage users to download the document when they visit them. When users click the download button, they are led to a sequence of websites, each of which contains a dangerous payload.
Threat actors use these redirections to avoid having their sites removed from search results for hosting harmful content. In these operations, actors were either releasing REvil through Gootloader or the SolarMarker backdoor.
The researchers discovered the perpetrators in the two campaigns didn’t construct their malicious sites; instead, they hacked genuine WordPress sites with high Google search rankings.
The sites were hacked using an undocumented hole in the ‘Formidable Forms’ WordPress plugin, which the hackers exploited by uploading laced PDF to the ‘/wp-content/uploads/formidable/’ folder.
Even though 5.0.07 was the most current version discovered in the compromised collection, updating to version 5.0.10 or later is recommended if you use this plugin.
While it is unknown if this affiliate used SEO poisoning campaigns, such an attack would have matched their strategy of indiscriminately targeting any victim.