Researchers have discovered a high-effort search engine optimization (SEO) poisoning campaign that seems to be targeting employees from multiple industries and government sectors when they search for specific terms that are relevant to their work. Clicking on the malicious search results, which are artificially pushed higher in ranking, lead visitors to a known JavaScript malware downloader.
“Our findings suggest the campaign may have foreign intelligence service influence through analysis of the blog post subjects,” researchers from security firm Deepwatch said in a new report.
“The threat actors used blog post titles that an individual would search for whose organization may be of interest to a foreign intelligence service e.g., ‘Confidentiality Agreement for Interpreters.’ The Threat Intel Team discovered the threat actors highly likely created 192 blog posts on one site.”
Deepwatch came across the campaign while investigating an incident at a customer where one of the employees searched for “transition services agreement” on Google and ended up on a website that presented them with what appeared to be a forum thread where one of the users shared a link to a zip archive.
The zip archive contained a file called “Accounting for transition services agreement” with a .js (JavaScript) extension that was a variant of Gootloader, a malware downloader known in the past to deliver a remote access Trojan called Gootkit but also various other malware payloads.