The Menlo Labs team discovered two distinct campaigns that dropped REvil and SolarMarker backdoors. Both campaigns use the SEO poisoning method to distribute payloads in the systems of targeted victims.
According to researchers, recent Gootloader and SolarMarket campaigns (distributing the REvil and SolarMarket backdoors, respectively) have increasingly used SEO poisoning to target their victims.
The attackers inject keywords covering 2,000 unique search topics and terms, such as professional development evaluation, sports mental toughness, and industrial hygiene walk-through, into WordPress-based sites. On Google, malicious websites were optimised for these keywords. As a result, users were presented with search results in the form of PDFs, urging them to download the document. Furthermore, the redirects prevent sites from being removed from search results.
The campaign served the malicious PDFs from a variety of locations, with the United States topping the list, followed by Iran and Turkey. The attackers primarily targeted business websites that host PDFs such as guides and reports. Furthermore, some well-known education and.gov websites were disseminating malicious PDFs.
The attackers in these two campaigns did not create their own malicious sites, but instead hacked WordPress sites with high search rankings. These sites were compromised as a result of an unknown vulnerability in the Formidable Forms WordPress plugin. The plugin’s 5.0.07 version was compromised; however, the vulnerability was fixed in versions 5.0.10 and later.
Because of the sudden increase in remote working, there has been an increase in SEO-based attacks. Remote work entails open-internet searches via web browsers, which raises the possibility of SEO-based manipulation. As a result, experts advise blocking all redirect sites hosted on.site or.tk TLDs, as well as file downloads from unknown sources.