Ransomware Groups Infecting Web Visitors with SEO Poisoning

Researchers discovered two campaigns connected to either the REvil ransomware group or the SolarMarker backdoor using SEO poisoning to deliver payloads to targets. SEO poisoning, or “search poisoning”, is an attack technique involving optimized websites using “black hat” SEO practices to boost their ranking on Google searches. Victims would visit high-ranking websites believed to be legitimate and threat actors would enjoy a huge flow of visitors looking for specific keywords.

SEO Poisoning Infecting Web Visitors

The Menlo Security team discovered an increase in SEO poisoning used by malware distributors on operations including the Gootloader and SolarMarket campaigns. Threat actors would inject over 2,000 unique keyword searches on websites including “sports mental toughness,” “industrial hygiene walk-through,” “five levels of professional development evaluation,” and more. The optimized websites would appear in search results as PDFs prompting visitors to download the document. When visitors click on the download button, they are redirected to various websites that inject a malicious payload. By using these redirects, threat actors avoid having their websites removed from the search results for hosting malicious content. Threat actors would implement REvil through Gootloader or the SolarMarker backdoor in these kinds of campaigns.

The researchers discovered from the two campaigns that actors were hacking legitimate websites with high-ranking Google searches instead of developing their own malicious sites. Hackers would exploit websites through an undisclosed flaw in the “Formidable Forms” WordPress plugins to upload laced PDF into the ‘/wp-content/uploads/formidable/’ folder. It’s recommended that those using this plugin update to version 5.0.10 or later, despite the most recent version, 5.0.07, being spotted in the compromised set. Websites in the business category are heavily targeted by attackers because sites usually host PDFs as guides or reports.

In 2012, threat actors launched the first modern encrypting ransomware, spreading their attacks widely hoping to infect as many people as possible. With ransomware groups targeting high-profile companies and demanding multi-million-dollar payments, the spray and pray method is not commonly used because infected consumers are likely not willing to pay large ransoms. According to BleepingComputer, one REvil affiliate implements widespread attacks infecting consumers and small companies while demanding between $1,500 and $7,500 instead of millions of dollars in ransom. It has not been determined if this REvil affiliate uses the SEO poisoning technique; however, this attack would fit their model of indiscriminately targeting any kind of victim.

With threat actors and ransomware groups continuously developing and perfecting new techniques and tactics, it’s crucial for companies to stay current with the latest threat landscape and remain alert when Google searches to make sure if the websites are legit or malicious. At SpearTip, we offer pre-breach and advisory services to help companies prepare for potential malicious threats, like SEO poisoning, and improve their network security vulnerabilities. With our Security Operations Centers (SOC) operating 24/7/365, our certified engineers continuously monitor your global networks. Working in tandem with our SOC as a Service, the ShadowSpear platform, our endpoint detection and response tool, reveals potential ransomware threats like REvil or SolarMarker and prevents network infiltration.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.