SEO poisoning pushes malware-laced Zoom, TeamViewer, Visual Studio installers

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,507
A new SEO poisoning campaign is underway, dropping the Batloader and Atera Agent malware onto the systems of targeted professionals searching for productivity tool downloads, such as Zoom, TeamViewer, and Visual Studio. These campaigns rely on the compromise of legitimate websites to plant malicious files or URLs that redirect users to sites that host malware disguised as popular apps.
Upon downloading and executing the software installers, the victims unknowingly infect themselves with malware and remote access software.

Poisoning search results​

As part of this campaign, the threat actors perform search engine optimization (SEO) techniques to legitimate compromised sites into search results for popular applications.
The targeted keywords are for popular applications like Zoom, Microsoft Visual Studio 2015, TeamViewer, and others.
 

Imranmt

Level 2
Verified
Nov 14, 2016
89
An ongoing search motor optimization (Search engine optimization) poisoning attack campaign has been observed abusing have faith in in legitimate software program utilities to trick people into downloading BATLOADER malware on compromised devices.

In Search engine optimisation poisoning attacks, adversaries artificially enhance the lookup motor ranking of internet websites (authentic or in any other case) hosting their malware to make them present up on major of look for final results so that buyers seeking for unique apps like TeamViewer, Visual Studio, and Zoom are infected with malware.

The installer, although packing the reputable software package, is also bundled with the BATLOADER payload which is executed during the set up method. The malware then acts as a stepping stone for attaining more perception into the qualified firm by downloading upcoming-stage executables that propagate the multi-stage an infection chain.

What is a lot more, in a indicator that the operators experimented with distinctive ploys, an alternative variant of the same marketing campaign sent the Atera remote checking administration software directly as a consequence of the first compromise for further stick to-on post-exploitation pursuits.
 
Last edited by a moderator:
Top