Search engine optimization, or SEO as it may be better known, is a key pillar of modern marketing.
As the name suggests, it is all about helping companies to stand out on search engines such as Google. By improving the visibility of your web pages via search engine results, the greater the opportunity to garner attention and attract both new and existing customers to your website and business.
From bolstering credibility and brand reputation to ultimately increasing sales, SEO is a vital apparatus in digital marketing toolkits today.
To see it mentioned in the same breath as cybercrime might seem a little curious. Yet, in the same way that organizations are vying for our attention, cybercriminals are too.
At Menlo Security, we’ve seen a distinct uptick and success in the use of SEO poisoning – a technique where adversaries increase the search engine ranking of those websites hosting malware by injecting keywords so that they may draw in unsuspecting victims. These types of highly evasive attacks have been seen before, but the velocity, volume, and complexity of this new wave have increased in recent months.
In recent times we’ve observed two campaigns across our global customer base. The first of these is the Gootloader Campaign that is being used to drop REvil ransomware, while the second is the SolarMarker Campaign which deploys the SolarMarket backdoor.
Here, we’ll be taking an in-depth look at the delivery mechanism and scope of such attacks as we have typically seen them unfolding to date.
Analyzing the infection vector
Having tracked the SolarMarker campaign of late, we found that as many as 2,000 unique search terms led to malicious websites, with some examples including ‘industrial-hygiene-walk-through-survey-checklist’ and ‘Sports Mental Toughness Questionnaire’.
When a user searches for such a term, compromised websites that host malicious PDFs will show up in the search engine results. When a user then clicks on the SEO poisoned link, they land on a malicious PDF that typically features a download button.
Should a user proceed to click on this, they will be taken through multiple HTTP redirections, after which a malicious payload is downloaded to the endpoint.
In the case of SolarMarker, we observed three different payload sizes being downloaded, the smallest being 70MB and the largest being 123MB, with these files sizes exceeding the limits defined by sandboxes and other content inspection engines.
WordPress and Formidable Forms
All of the compromised sites we found to be hosting malicious PDFs were benign WordPress sites that had been compromised to host the malicious content. However, during our analysis, we did find that some well-known educational and .gov websites were also serving malicious PDFs.
There was no specific market that was targeted either. While fake business websites were the most prominent, with more than 1,000 instances recorded, we also encountered threat actors posing as non-profits and NGOs, health and medicine sites, shopping sites, education entities, job search, travel, finance, and organizations spanning many other categories.
Similarly, a variety of industry verticals were observed clicking on the malicious links hosting the PDF files, including the automotive, energy, finance and investment, government, health, retail, manufacturing, media, housing, and telecommunications sectors, with the vast majority stemming from the United States. Sites in Iran and Turkey were also being used in this campaign.
WordPress was used in each instance owing to the ability of hackers to tap into a specific directory: /wp-content/uploads/formidable/. This directory is created when a WordPress plug-in lets admins easily create a form using Formidable Forms to be installed on the website.
Exactly 100 percent of the compromised URLs we observed (at the time of writing) were hosting malicious PDFs under this specific directory location. Looking at the changelog of Formidable Forms, it looks like the plug-in was updated and a security issue was fixed, but we are unsure if this was the security issue responsible for the initial vector in the SolarMarker campaign.
Highlighting the dangers in a remote and hybrid era
In a new normal of remote and hybrid business models, the browser remains a much more present function of day-to-day working life. Indeed, a study from Google shows that end-users spend on average three-quarters of their workday using a browser.
That said, Menlo’s survey reveals that 75% of organizations believe hybrid and remote workers may pose a security threat when accessing applications on unmanageable devices. Further, such concerns have also prompted 53% to plan to reduce or limit third-party/contractor access to systems and resources over the next 12 to 18 months.
SolarMarker is an example of these fears realized.
While it is a classic supply-chain style attack in which attackers can take advantage of vulnerable sites to launch their malicious campaigns, it is also an example of attackers finding ways to exploit the increased usage of the browser, targeting the user directly by evading traditional methods of detection.
It is this form of initiation that makes such campaigns particularly dangerous.