This tactic — used to distribute REvil ransomware and the SolarMarker backdoor — is part of a broader increase in such attacks in recent months, researchers say.
Attacks involving SEO poisoning — where adversaries artificially increase the search engine ranking of websites hosting their malware to lure potential victims — are on the rise.
In the past few months, attackers have used the tactic in at least two campaigns across Menlo Security’s global customer base, researchers there say: one to distribute the REvil ransomware sample and the other to drop a backdoor called SolarMarker.
The attacks highlight recent efforts by threat actors to target users instead of organizations in their malicious campaigns, Menlo Security said in a report this week. The security vendor described the trend as likely being driven by adversaries seeking to take advantage of the current remote work environment where the lines between personal and business device use have blurred.
In search engine optimization (SEO) poisoning attacks, adversaries first compromise legitimate websites and then inject specific keywords into the website that users might commonly search for via their preferred search engine. The goal in injecting the keywords is to ensure that the compromised website surfaces near or on top of search engine results when a user searches for something using the keywords.
In the SolarMarker campaign that Menlo Security observed, users who clicked on the poisoned link were directed to a malicious PDF hosted on the compromised site and eventually ended up with the backdoor on their systems.
Menlo Security said it observed over 2,000 unique search terms that led users to sites hosting SolarMarker. Examples included “blue-jacket-of-the-quarter-write-up-examples,” “industrial-hygiene-walk-through-survey-checklist,” and “Sports Mental Toughness Questionnaire.” The campaign targeted users across numerous industry verticals, including automotive, retail, financial services, manufacturing, transportation, and telecommunications.
Websites hosting the malicious PDF were scattered around the world. While many were in the US, the security vendor said it noticed sites in countries such as Iran and Turkey that were also being used in the campaign. Sites serving the malicious PDF included government websites and domains belonging to well-known educational institutions, the security vendor said.
Vinay Pidathala, director of security research at Menlo Security, says that when adversaries choose what keywords they want to use in an SEO poisoning campaign, they likely start off with terms that are of interest to users within specific industries they might be targeting.
“In the [approximately] 2,000 search terms we noticed, we consistently saw customers searching for terms related to their industries,” Pidathala says. “One theory is that they could be using some sort of A/B testing, where initially they use a wide range of search terms, monitor the efficacy of each of these search terms, figure out which search terms are more widely searched for, and then later weaponize it.”
High Rate of Success
Pidathala describes SEO poisoning as a relatively effective way for attackers to distribute malware or lure users to malicious sites. In both the campaigns that Menlo Security recently observed — REvil and SolarMarker — a relatively high percent of users clicked on the malicious link in the search engine results, he says.
“Specifically in the SolarMarker campaign, we saw that about 42% of users who searched for a certain term eventually ended up clicking on the link in the malicious PDF, which would drop the malware — [proving] the effectiveness of this campaign,” he says.
Menlo Security said that all the compromised websites in the SolarMarker campaign were WordPress sites that contained a plug-in called Formidable Forms. It’s unclear, however, whether the plug-in played any role in allowing the attackers to break into the sites.
“We are neither sure if Formidable Forms was compromised or if there was a vulnerability in Formidable Forms,” Pidathala says. “We are merely pointing out that in all the WordPress sites we observed, this was the common plug-in installed.”
The attackers also employed a relatively simple evasion technique — using large-sized payloads — to try and sneak SolarMarker past anti-malware tools.
“The largest payload we observed was 123MB,” Pidathala says. “Unfortunately, tools tend to have a file size limit on what they can or cannot analyze.”