Threat analysts from security firm Deepwatch have unearthed a sophisticated search engine optimization (SEO) poisoning campaign targeting employees from several industries and government entities when they scan for specific words relevant to their work. Upon clicking on the malicious search outcomes, which are higher in ranking, the victims unknowingly download a popular JavaScript malware downloader. 

“Our findings suggest the campaign may have foreign intelligence service influence through analysis of the blog post subjects,” researchers explained in a new report. “The threat actors used blog post titles that an individual would search for whose organization may be of interest to a foreign intelligence service e.g., ‘Confidentiality Agreement for Interpreters.’ The Threat Intel Team discovered the threat actors highly likely created 192 blog posts on one site.” 

SEO poisoning modus operandi 

The researchers identified the malicious campaign while scanning an incident where one of the employees scanned for a “transition services agreement” on Google and ended up on a malicious site that offered them what seemed to be a forum thread where one of the customers shared a link to a zip archive. 

The zip archive included a file called “Accounting for transition services agreement” with a .js (JavaScript) extension that was a variant of Gootloader, a multi-staged JavaScript malware package that has been in the wild since late 2020. 

During the investigation of the site hosting the malware delivery page, the researchers realized it was a sports streaming distribution site. However, over 190 blog posts were hidden in their design on multiple topics relevant to professionals working in various industry sectors. These blog posts can solely be reached via Google search results. 

“The suspicious blog posts cover topics ranging from government, and legal to real estate, medical, and education,” the researchers added. “Some blog posts cover topics related to specific legal and business questions or actions for US states such as California, Florida, and New Jersey. Other blog posts cover topics relevant to Australia, Canada, New Zealand, the United Kingdom, the United States, and other countries.”