Security researchers recently uncovered a malicious campaign using SEO poisoning to trick potential victims into downloading the BATLOADER malware. The attackers used created malicious sites packed with keywords of popular software products, and used search engine optimization poisoning to make them show up higher in search results. Mandiant researchers also observed a clever evasion technique which relied on mshta.exe, which is a Windows-native utility designed to execute Microsoft HTML Application files (HTA).
Another recent example of malware using SEO poisoning to infect users distributed the well-known Raccoon infostealer. This campaign came with search-engine optimized malicious sites that ranked high in Google results. The hackers also used these tricks on a YouTube channel with video about wares, or pirated software.
SEO Poisoning Delivers the BATLOADER Malware
As for the current BATLOADER malware campaign, the hackers utilized “free productivity apps installation” or “free software development tools installation” as SEO keywords to trick victims into visiting compromised websites and to download a malicious installer, containing legitimate software bundled with the malware. It should be noted that the BATLOADER malware is dropped and executed during the software installation process.
According to Mandiant’s report, “this initial BATLOADER compromise was the beginning of a multi-stage infection chain that provides the attackers with a foothold inside the target organization.” The threat actors also used legitimate tools such as PowerShell, Msiexec.exe, and Mshta.exe to avoid detection by security vendors.
One of the elements of the attack resembles the CVE-2020-1599 exploit, a severe bug in Google Chrome reported last year:
One notable sample found in the attack chain was a file named, “AppResolver.dll”. This DLL sample is an internal component of the Microsoft Windows Operating System developed by Microsoft, but with malicious VBScript embedded inside in a way that the code signature remains valid. The DLL sample does not execute the VBScript when run by itself. But when run with Mshta.exe, Mshta.exe locates and executes the VBScript without any issues.
This issue most closely resembles CVE-2020-1599, PE Authenticode signature remains valid after appending HTA supported scripts signed by any software developer. These PE+HTA polyglot (.hta files) can be exploited through Mshta.exe to bypass security solutions that rely on Microsoft Windows code signing to decide if files are trusted. This issue was patched as CVE-2020-1599.
You can read more about the versatile infection chain in the original report.