Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label blackhat seo poisoning. Show all posts

Spyware Infests the Microsoft Store with Classic Game Pirates

 



Electron Bot, a malware which infiltrated Microsoft's Official Store via clones of popular games like Subway Surfer and Temple Run, infected approximately 5,000 machines in Sweden, Israel, Spain, and Bermuda. 

Check Point discovered and studied the malware, which is a backdoor to give attackers unlimited control over infected PCs, allowing for remote command processing and real-time interactions. The threat actors' purpose is social media promotion and fraud, which is done by gaining control of social media profiles where Electron Bot allows for new account registration, commenting, and liking. 

An initial Electron Bot variant was uploaded to the Microsoft Store as "Album by Google Photos," published by a faked Google LLC business, and the operation was identified at the end of 2018. The malware, which is named after the Electron programming language, can mimic natural browsing behavior and perform acts as if it were a real website visitor. It accomplishes this by opening a new hidden browser window with the Electron framework's Chromium engine, setting the relevant HTTP headers, rendering the requested HTML page, and lastly performing mouse actions.

Threat actors develop rogue websites and employ search engine optimization strategies to push them to the top of the search results in an SEO poisoning campaign. SEO poisoning is also offered as a service to increase other websites' ranks, in addition to boosting bad sites' SEO rankings. The infection chain starts when the user downloads one of the infected apps from the Microsoft Store, which is otherwise a reliable source of software. When the application is launched, a JavaScript dropper is dynamically loaded in the side to fetch and install the Electron Bot payload. 

The malware links to the C2 (Electron Bot[.]s3[.]eu-central-1[.]amazonaws. com or 11k[.]online), acquires its configuration, and implements any commands in the pipeline at the next system startup. The JS files dumped on the machine's RAM are relatively short and appear to be benign because the major scripts are loaded flexibly at run time. 

Fraud, fleece wear, and financial trojans abound in official app shops. The Xenomorph banking malware was recently found by ThreatFabric, and the most humorous has to be Vultur, a trojan hidden inside a fully functional two-factor authentication (2FA) app which recently infected 10,000 people who downloaded it from Google Play. 

The successful entry of Electron Bot into Microsoft's official app store is only the most recent example of how consumers throw precaution into the breeze whenever a user views a bright new toy on the apps.

IISerpent Trojan Manipulates Search Engine Optimization

 

Security researchers recently had to cope with a huge number of malware attacks targeting the Internet Information Services (IIS) component. The IISerpent Trojan is the most recent malware family to be added to the list. 

The malware is installed as a Microsoft IIS add-on. After that, it intercepts HTTP requests and traffic, but there's a catch. This IIS malware works differently than other IIS malware that leverages this opportunity to steal credentials and private data, such as the IISpy Backdoor. It only gets to work if it recognizes requests to specific search engines, rather than ordinary HTTP traffic. Search engines have crawlers that scour the Web for pages to index or re-index on a regular basis. It is possible for pages on the same domain to link to one another. Crawlers utilize specific algorithms to determine a page's search engine ranking. 

Buying adverts or implementing search engine optimization (SEO) strategies are two valid ways to improve page ranking in search engine result pages, however not all digital marketers follow the laws. SEO-boosting practices (which, however, contravene webmaster guidelines) such as loading pages with unrelated keywords or buying backlinks to improve a website's reputation are referred to as unethical SEO (historically known as black hat SEO).

IISerpent is a native IIS module, implemented as a C++ DLL and configured in the %windir%\system32\inetsrv\config\ApplicationHost.config file. IISerpent ensures both persistence and execution because all IIS modules are loaded by the IIS Worker Processes (w3wp.exe) and used to handle inbound HTTP requests.

IISerpent exports a function called RegisterModule, which provides module initialization, just like all native IIS modules. Its event handlers — methods of the module class (inherited from CHttpModule) that are called on certain server events – hide the underlying harmful functionality. IISerpent's code class alters the IIS server's OnBeginRequest and OnSendResponse methods, causing the malware's handlers to be called every time the IIS server begins processing a new inbound HTTP request and transmits the response buffer. 

Because everything appears normal to the webmaster and users - all the 'magic' happens in the background – these assaults are extremely difficult to detect. Of course, a short glance at a backlink analysis or network traffic data will suggest that something is amiss. 

The worst thing about the IISerpent Trojan's attack is that the websites that are attacked could lose their good SEO ranking. This is possible because search engine crawlers will quickly notice the link between the original page and the counterfeit website, which will usually result in SEO penalties.

Searching for Keyword “Windows Android Drivers” leads to Malware website


CyberCriminals often use SEO poisoning techniques to lure unsuspecting internauts to their malicious websites.  In one recent example, Cyber Criminals targeted Android users by poisoning Yahoo! search result.

Security Researchers at GFI Labs have found that searching for "Windows Android Drivers" points to a malicious website [bestdrivers(dash)11(dot)ru] .

Visiting the Russian site in question automatically downloads a file called "install.exe"- a Trojan file.

Once the file is being executed, the malware modifies the home page of Internet Explorer to malicious domain.

In case victim visit the same Russian site from their android devices, the are redirected to various malicious websites which contain the "android" keyword in the domain name. These sites direct users to fake Google play sites.

Few months back, I discovered that Google Image search result being poisoned and directs me to an infected website. 

Now Bing image search results leads to BHEK v2- Blackhat SEO poisoning


I reported a few days ago that Google Image search result leads to BlackHole Exploit kit v2.0 page. Now, Bing Image search results also leads to malicious sites.

A quick image search in Bing for the keyword 'movie outline example' results rogue images that leads to malicious websites. The attackers use BlackHat SEO to poison the search results.

Blackhat SEO, also known as malicious SEO poisoning, occurs when hackers manipulate search engine results to make their links appear higher than legitimate results. As a user searches for related terms, the infected links appear near the top of the search results, generating a greater number of clicks to malicious websites.

According to Sophos report, Bing search results are being poisoned more than other search engines(65%). 

"Digging further into the data, it is also clear that the attackers are getting most success from poisoning image search results." Researcher said.

When i clicked one of the rogue image, i was redirected to a malicious site "zaka.uni.**" that hosts the latest version of BlackHole Exploit kit(v2.0).

'zaka' , the same keyword is used in the malicious domain used in Google Image result attack. It seems like same group is poisoning Bing search result also.