An ongoing search engine marketing (search engine optimization) poisoning assault marketing campaign has been noticed abusing belief in legit software program utilities to trick customers into downloading BATLOADER malware on compromised machines.
“The risk actor used ‘free productiveness apps set up’ or ‘free software program improvement instruments set up’ themes as search engine optimization key phrases to lure victims to a compromised web site and to obtain a malicious installer,” researchers from Mandiant mentioned in a report printed this week.
In search engine optimization poisoning assaults, adversaries artificially improve the search engine rating of internet sites (real or in any other case) internet hosting their malware to make them present up on high of search outcomes in order that customers trying to find particular apps like TeamViewer, Visible Studio, and Zoom are contaminated with malware.
The installer, whereas packing the legit software program, can be bundled with the BATLOADER payload that is executed through the set up course of. The malware then acts as a stepping stone for gaining additional perception into the focused group by downloading next-stage executables that propagate the multi-stage an infection chain.
A kind of executables is a tampered model of an inner part of Microsoft Home windows that is appended with a malicious VBScript. The assault subsequently leverages a method known as signed binary proxy execution to run the DLL file utilizing the legit “Mshta.exe” utility.
This leads to the execution of the VBScript code, successfully triggering the subsequent part of the assault whereby further payloads similar to Atera Agent, Cobalt Strike Beacon, and Ursnif are delivered within the later phases to assist carry out distant reconnaissance, privilege escalation, and credential harvesting.
What’s extra, in an indication that the operators experimented with totally different ploys, another variant of the identical marketing campaign delivered the Atera distant monitoring administration software program instantly as a consequence of the preliminary compromise for additional follow-on post-exploitation actions.
Mandiant additionally known as out the assaults’ overlaps with that of methods adopted by the Conti ransomware gang, which have been publicized in August 2021. “At the moment, as a result of public launch of this data, different unaffiliated actors could also be replicating the methods for their very own motives and targets,” the researchers mentioned.