“Our findings suggest the campaign may have foreign intelligence service influence through analysis of the blog post subjects,” researchers explained in a new report. “The threat actors used blog post titles that an individual would search for whose organization may be of interest to a foreign intelligence service e.g., ‘Confidentiality Agreement for Interpreters.’ The Threat Intel Team discovered the threat actors highly likely created 192 blog posts on one site.”
SEO poisoning modus operandi
The researchers identified the malicious campaign while scanning an incident where one of the employees scanned for a “transition services agreement” on Google and ended up on a malicious site that offered them what seemed to be a forum thread where one of the customers shared a link to a zip archive.
During the investigation of the site hosting the malware delivery page, the researchers realized it was a sports streaming distribution site. However, over 190 blog posts were hidden in their design on multiple topics relevant to professionals working in various industry sectors. These blog posts can solely be reached via Google search results.
“The suspicious blog posts cover topics ranging from government, and legal to real estate, medical, and education,” the researchers added. “Some blog posts cover topics related to specific legal and business questions or actions for US states such as California, Florida, and New Jersey. Other blog posts cover topics relevant to Australia, Canada, New Zealand, the United Kingdom, the United States, and other countries.”
Read the full article here