Hackers Employ Black Hat SEO Techniques To Deliver Malware

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Hackers use black hat SEO methods to manipulate search engine rankings and make malicious or fraudulent websites more visible.

Recently, Zscaler cybersecurity researchers have seen a wave of fraudulent sites hosted on well-known web hosting services and blogging platforms that threat actors use for SEO poisoning and malware distribution. 

Using legitimate hosting platforms allows attackers to quickly carry out SEO poisoning attacks, artificially elevating the ranking of harmful content on search results pages.

The website below appears legitimate; however, it carries malware that deceives people into downloading malicious software using search results.

The adversaries create fake sites that go unnoticed by the hosting services.

An example of a scam website hosted on Weebly (Source – Zscaler)

Unknowingly, users are directed to malicious sites when they search and click on links. They likely skip direct URL access because it could be subjected to security analysis.

These sites check referral URLs, and if they come from search engines, they proceed. However, if there is direct access without any redirection, they should not proceed to evade researchers’ detection.

A hidden script examines the referrer and redirects based on the concatenation of strings and mathematical operations that obfuscate its logic, Zscaler researcher said.

It is aimed at people looking for cracked software, showing them false MediaFire pages hosted on Weebly, which seem genuine but serve malware instead of cracks.

Comparison of a fake and legitimate MediaFire page (Source – Zscaler)

Though appearing identical at first glance, the fake non-MediaFire URL crosses the forgery.

The downloaded payload has nested password-protected ZIP archives, with the password hidden in an image – evading detection.

The installer drops a malicious DLL alongside legitimate GPG (GNU Privacy Guard) software using DLL sideloading. 

Files after extracting two ZIP archives (Source – Zscaler)

It launches explorer.exe by hollowing the process via undocumented API calls and injecting malicious code. 

While Explorer.exe runs PowerShell with obfuscated arguments, downloading an encoded script that undergoes deobfuscation involving replacement, Base64 decoding, and XOR operations before execution. 

Multiple obfuscation layers hide the malicious activities. The replaced Base64 file is decoded after being subjected to special characters’ substitution to avoid detection.

It involves multi-layer obfuscation with encoded sections and self-decrypting scripts.

When run, it creates a shortcut that loads harmful browser add-ons and drops files for them, too.

It communicates with command-and-control servers (C2s), which download malicious payloads executed by rundll32.exe.

Before performing exfiltration, this extension steals vast amounts of data from browsers and system and user information while on blockchain.info looking up the C2 domain through a Bitcoin address.

Here below, we have mentioned the types of data gathered by the malicious extension:-

  • System information 
  • Browser cookies
  • Browser fingerprints
  • Credentials 
  • Machine information
  • Browser extensions
  • Extension permissions
  • Cookies 
  • Browser history

The campaign abuses users’ trust by poisoning search engines through Black Hat SEO and utilizing fake websites that appear credible to distribute malware. 

For attackers, the objective is to make money by manipulating search results, so preventing this requires not downloading software programs from suspicious websites and only getting them from reliable sources.

Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo