Researchers have spotted two campaigns linked to either the REvil ransomware gang or the SolarMarker backdoor that use SEO poisoning to serve payloads to targets.
SEO poisoning, also known as "search poisoning," is an attack method that relies on optimizing websites using 'black hat' SEO techniques to rank higher in Google search results.
Due to their high ranking, victims who land on these sites believe they are legitimate, and actors enjoy a heavy influx of visitors who look for specific keywords.
SEO for ransomware
According to the findings of the Menlo Security team, SEO poisoning by malware distributors is on the rise, with two notable examples being the Gootloader and SolarMarket campaigns.
The actors inject sites with keywords that cover over 2,000 unique search terms, including "sports mental toughness," "industrial hygiene walk-through," "five levels of professional development evaluation," and more.
The optimized sites appear in search results as PDFs that, when visited, prompt a user to download the document, as shown below.
When they click on the download button, the users are redirected through a series of sites that ultimately drop a malicious payload.
The threat actors use these redirects to prevent their sites from being removed from the search results for hosting malicious content.
In these particular campaigns, the threat actors were either dropping REvil via Gootloader or the SolarMarker backdoor.
Exploiting a WordPress plugin vulnerability
In the two...
Read Full Story: https://www.bleepingcomputer.com/news/security/ransomware-gangs-use-seo-poisoning-to-infect-visitors/
Your content is great. However, if any of the content contained herein violates any rights of yours, including those of copyright, please contact us immediately by e-mail at media[@]kissrpr.com.
