Wednesday, July 1, 2026
HomeCyber Securitysearch engine marketing poisoning pushes malware-laced Zoom, TeamViewer, Visible Studio installers

search engine marketing poisoning pushes malware-laced Zoom, TeamViewer, Visible Studio installers

[ad_1]

search engine marketing poisoning pushes malware-laced Zoom, TeamViewer, Visible Studio installers

A brand new search engine marketing poisoning marketing campaign is underway, dropping the Batloader and Atera Agent malware onto the programs of focused professionals trying to find productiveness device downloads, resembling Zoom, TeamViewer, and Visible Studio.

These campaigns depend on the compromise of professional web sites to plant malicious recordsdata or URLs that redirect customers to websites that host malware disguised as well-liked apps.

Upon downloading and executing the software program installers, the victims unknowingly infect themselves with malware and distant entry software program.

Poisoning search outcomes

As a part of this marketing campaign, the risk actors carry out SEO (search engine marketing) strategies to professional compromised websites into search outcomes for well-liked functions.

The focused key phrases are for well-liked functions like Zoom, Microsoft Visible Studio 2015, TeamViewer, and others.

Malicious search engine result promoting Visual Studio download
Malicious search engine consequence selling Visible Studio obtain
Supply: Mandiant

When a consumer clicks on the search engine hyperlink, they are going to be delivered to the compromised website that features a Visitors Course System (TDS).  Visitors Course Techniques are scripts that verify for varied attributes of a customer and use that info to resolve whether or not they need to be proven the professional webpage or be redirected to a different malicious website underneath the attacker’s management.

In related campaigns previously, the TDS would solely redirect guests in the event that they got here from a search engine consequence. In any other case, the TDS would present the customer the conventional and legit weblog publish.

This method helps stop evaluation by safety researchers as it might solely present the malicious habits to those that arrived from a search engine.

If a customer is redirected, the malicious website will present them a pretend discussion board dialogue the place a consumer asks the best way to get a selected app, and one other phony consumer gives a obtain hyperlink, as proven under.

Fake forum discussion offering a download link
Faux discussion board dialogue providing a obtain hyperlink
Supply: Mandiant

Clicking the obtain hyperlink will trigger the location to create a packaged malware installer utilizing the title of the sought-after software. Because the malware packages embrace the professional software program, many customers is not going to understand they’ve additionally been contaminated with malware.

Among the malicious domains discovered by Mandiant researchers getting used on this marketing campaign are:

  • cmdadminu[.]com
  • zoomvideo-s[.]com
  • cloudfiletehnology[.]com
  • commandaadmin[.]com
  • clouds222[.]com
  • websekir[.]com
  • team-viewer[.]website
  • zoomvideo[.]website
  • sweepcakesoffers[.]com
  • pornofilmspremium[.]com
  • kdsjdsadas[.]on-line
  • bartmaaz[.]com
  • firsone1[.]on-line

Dropping a malware cocktail

When the downloaded program is executed, it’ll carry out two totally different an infection chains that drop malware payloads on the system.

The primary an infection chain begins with putting in the pretend software program bundled with the BATLOADER malware, fetching and executing extra payloads like Ursnif and Atera Agent.

The second an infection chain drops ATERA Agent immediately, bypassing the malware loading phases. Atera is a professional distant administration resolution that’s being abused for lateral motion and deeper infiltration.

Diagram showcasing the two attack chains
Diagram showcasing the 2 assault chains
Supply: Mandiant

Within the first an infection chain, the actors use MSHTA to execute a professional Home windows DLL (AppResolver) laced with a malicious VBScript to alter Microsoft Defender settings and add particular exclusions.

VBScript disabling Defender features
Disabling Microsoft Defender options
Supply: Mandiant

Curiously, the PE Authenticode signature within the Home windows file stays legitimate though the actors have added their malicious code to it, which is an issue that Microsoft tried to handle with the CVE-2020-1599 repair.

Mandiant’s report describes the bypassing method as follows:

We noticed arbitrary script knowledge was appended to the signature part past the tip of the ASN.1 of a legitimately signed Home windows PE file. The resultant polyglot file maintains a sound signature so long as the file has a file extension aside from ‘.hta’. This polyglot file will efficiently execute the script contents whether it is executed with Mshta.exe, as Mshta.exe will skip the PE’s bytes, find the script on the finish, and execute it.

Hyperlink to Conti gang?

Mandiant’s analysts underline that among the strategies seen on this marketing campaign match the content material of the Conti playbooks {that a} disgruntled affiliate leaked final August.

Whereas the marketing campaign may very well be replicated by unrelated actors, loading the VBScript from a signed Home windows file signifies a skillful operator.

Deploying ransomware payloads by way of Atera Agent could be pretty easy, whereas the focusing on scope outlined by the search engine marketing lures is company-focused.

[ad_2]

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments