SEO Poisoning dropping malware

Industry: N/A | Level: Tactical | Source: Mandiant

Mandiant Managed Defense has identified a threat campaign distributing BATLOADER malware and malicious installations of remote management software, ATERA from crafting website themes with freeware, and using search engine optimization poisoning to lure victims. The malicious webpages incorporate Traffic Direction System (TDS) to verify user attributes determining if the site visitor should be directed to a malicious or legitimate page in order to avoid detection from security researchers. Two different infection chains are utilized for the malware. BATLOADER users attempting to download the alleged software also receive an installer, that runs native tools such as PowerShell, Msiexec.exe, and Mshta.exe in order to evade detection. A notable DLL file, “AppResolver.dll" contains a malicious VBScript that's executed with Mshta.exe. With the ATERA infection chain, an MSI file is dropped for the ATERA agent to be installed, To maintain persistence the network discovery component of ATERA, Splashtop would also be installed and scripts will be pushed from the agent to tamper with the host by modifying Windows Defender file exclusions and downloading additional payloads. Currently, no known attribution of the activity is determined for a threat actor group, however, there is some overlap in techniques from the leaked Conti playbooks in August 2021.

• Anvilogic Scenario: Malicious Software Download via MSI
• Anvilogic Use Cases:
• MSHTA.exe execution
• MSIExec Install MSI File
• Modify Windows Defender