A new SEO poisoning effort has started. It infects targeted professionals seeking productivity tool downloads such as Zoom, TeamViewer, and Visual Studio with the Batloader and Atera Agent malware. These tactics rely on legal websites hacked to plant dangerous files or URLs that drive visitors to sites that house malware masquerading as popular software. The victims unwittingly infect themselves with malware and remote access software when they download and run the software installers.
The threat actors use search engine optimization (SEO) strategies to get authentic hacked sites into search results for popular apps as part of this operation. Popular apps such as Zoom, Microsoft Visual Studio 2015, TeamViewer, and others are among the targeted keywords. When a person clicks on the search engine link, they are sent to a hacked website using a Traffic Direction System (TDS). Traffic Direction Systems are scripts that examine a visitor’s properties and use that information to determine whether they should be displayed on the genuine webpage or diverted to a malicious site controlled by the attacker.
In previous efforts, the TDS would only redirect users who arrived via a search engine result. Otherwise, the TDS would display a regular and legal blog post to the visitor. This strategy helps prevent security researchers from analyzing the harmful activity since it only shows the bad behavior to people who came via a search engine. If a user is redirected, the malicious site will display a false forum conversation in which a user asks about obtaining a specific software, and another phony user gives a download link.
When you click the download link, the site will construct a bundled malware installation with the name of the desired program. Many people will be unaware that they have been infected with malware since the malware bundles incorporate genuine applications. Mandiant analysts discovered the following malicious domains being used in this campaign:
- cmdadminu[.]com
- zoomvideo-s[.]com
- cloudfiletehnology[.]com
- commandaadmin[.]com
- clouds222[.]com
- websekir[.]com
- team-viewer[.]site
- zoomvideo[.]site
- sweepcakesoffers[.]com
- pornofilmspremium[.]com
- kdsjdsadas[.]online
- bartmaaz[.]com
- firsone1[.]online
When the downloaded software is run, it will launch two distinct infection chains that infect the device with malware payloads. The first infection chain begins with installing the false software that is packaged with the BATLOADER malware, which then fetches and executes other payloads such as Ursnif and Atera Agent. The second infection chain drops ATERA Agent directly, bypassing the malware loading phases. Atera is a legal remote management tool used for lateral movement and deeper penetration.
In the first infection chain, the actors employ MSHTA to alter Microsoft Defender settings and add specific exclusions by executing a legal Windows DLL (AppResolver) laced with malicious VBScript. Even after the actors have added their malicious code to the Windows file, the PE Authenticode signature remains valid, which is a flaw that Microsoft intended to solve with the CVE-2020-1599 fix. The bypassing technique is also described in Mandiant’s report.
While unconnected actors might repeat the campaign, the VBScript was loaded from a signed Windows file implies that the operator was skilled. Deploying ransomware payloads using Atera Agent would be pretty straightforward, although the SEO lures’ targeting scope is company-specific.
