“Our findings suggest that the campaign may have influence on foreign intelligence services through analysis of blog post topics,” researchers from security firm Deepwatch said in a new report. “Threat actors used blog post titles that an individual would research whose organization a foreign intelligence service might be interested in, for example, “Non-Disclosure Agreement for Interpreters.” The Threat Intel team has discovered that the threat actors most likely created 192 blog posts on a single site.”
How SEO Poisoning Works
Transition Services Agreements (TSAs) are commonly used during mergers and acquisitions to facilitate the transition of part of an organization following a sale. Since they are frequently used, many resources are likely available for them. The fact that the user saw and clicked on this link suggests that it was displayed at the top of the ranking.
Upon examining the site hosting the malware streaming page, researchers realized that it was a sports streaming distribution site which, based on its content, was likely legitimate. However, hidden deep within its structure were more than 190 blog posts on various topics that would be of interest to professionals working in different industry sectors. These blog posts are only accessible through Google search results.
“The suspicious blog posts cover topics ranging from government and law to real estate, medicine and education,” the researchers said. “Some blog posts cover topics related to specific legal and business issues or actions for US states such as California, Florida, and New Jersey. Other blog posts cover topics relevant to Australia, the Canada, New Zealand, United Kingdom, United States, and other countries.”
Additionally, the attackers deployed a translation mechanism that automatically translates and generates versions of these blog posts in Portuguese and Hebrew. Some of the topics are very specific and would attract victims in areas of potential interest to foreign intelligence agencies, for example bilateral air services agreements (civil aviation), intellectual property in government contracts (government contractors) or the ‘Shanghai Cooperation Organization (individuals working in media, foreign affairs or international relations). Blog posts are not duplicates of other web content, which Google would likely intercept and penalize in search results, but rather are compiled from multiple sources giving the appearance of well-researched original posts.
“Given the herculean task of researching and creating hundreds of blog posts, it’s safe to assume that many people are working together,” the researchers said. “However, this task may not be completely impractical for a single person despite the perceived level of effort required to do it.”
How TAC-011 and Gootloader Enable SEO Poisoning
Deepwatch attributes this campaign to a group they track as TAC-011 which has been operating for several years and has likely compromised hundreds of legitimate WordPress websites and may have produced thousands of individual blog posts to inflate their Google search ranking.
Once a visitor clicks on one of the malicious search results, they are not taken directly to the blog post, but instead an attacker-controlled script collects information about their IP address, their operating system and last known visit, then performs a series of checks before deciding whether to show them the benign blog post or the malicious overlay that mimics a thread. According to the researchers’ tests, users who received the overlay do not get it back for at least 24 hours. Visitors using known VPN services or Tor are not directed to the overlay, nor are those using operating systems other than Windows.
“For example, if a company with a Windows Active Directory environment and a computer connected to the organization’s network were compromised, the adversary would know that they have access to that organization,” the researchers said. “At this point, the threat actor could sell access or abandon another post-exploitation tool like Cobalt Strike and move laterally through the environment.”
Mitigating SEO poisoning attacks
Organizations should train their employees to be aware of these search result poisoning attacks and never run files with suspicious extensions. This can be applied via Group Policy to force open files with potentially dangerous script extensions such as .js, .vbs, .vbe, .jse, .hta, and .wsf with a text editor such as the Notepad rather than running them with the Microsoft Windows Based Script Host Program, which is the default Windows behavior.
Another non-technical tip offered by Deepwatch is to make sure employees have the agreement templates they need internally. More than 100 of the blog posts found on this compromised sports streaming site were about some sort of business-related model agreement. 34 others concerned contracts. Law, purchasing, taxation and legal were also common keywords. The fake thread technique has been in use since at least March 2021 and it still works, suggesting that attackers still consider it viable and returning a high success rate.
“Having a process where an employee can request specific patterns may reduce their need to search for the patterns and thus fall victim to these tactics,” the researchers said.
Copyright © 2022 IDG Communications, Inc.