SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
3 Nov 2017

Group uses SEO to poison Google search results with links to banking trojan

When you think you've seen it all, malware authors always find a way to impress you.

Today's "that's clever!" moment comes courtesy of a criminal group that's been spreading a new version of the Zeus Panda banking trojan since June, this year.

Instead of relying on old techniques of malvertising and spam campaigns, this group has taken a novel approach, never before seen in the distribution of banking trojans. Black-hat SEO, for the win! This Zeus Panda group decided to rely on a network of hacked websites, on which they inserted carefully chosen keywords in new pages or hid the keywords inside existing pages. The group leveraged the favorable Google SERP (Search Engine Results Pages) ranking of the hacked sites to position these malicious pages at the top of Google search results for specific queries related to online banking and personal finances.

For example, a person searching for "al rajhi bank working hours in ramadan" would see a malicious link ranked at the top of Google search results. Users clicking on these links would arrive on the hacked site, from where malicious JavaScript code would execute in the background and redirected the user through a series of sites until he reached one offering a Word document for download.

Malware group combines SEO spam and malvertising

This tangled chain of URL redirections is specific to malvertising campaigns that jolt users from sites running tainted ads to exploit kits, tech support scams, or fake software updaters.

The Zeus Panda group basically combined SEO spam botnets (made up of hacked sites hiding secret keywords that boost the SEO reputation of other sites) with a classic malvertising-to-exploit-kit redirection chain.

The Word document users got would be identical to the one someone would get if they received it via a spam email. The only difference would be how they got it, but not what was inside.

Group pushed new Zeus Panda banking trojan version

The Word file still relies on users enabling macro execution, which starts a series of hidden scripts that install a new variant of the Zeus Panda banking trojan, previously analyzed by the G Data crew here.

Cisco Talos — who discovered this hybrid SEO-malvertising Zeus Panda distribution campaign taking place over the summer — has also released a report with technical details about the distribution campaign, the Google search queries for which malicious pages showed up, and extra details on the new Zeus Panda variant.

"The overall configuration and operation of the infrastructure used to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees being used for the distribution of malware," Talos wrote in its report. "This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time."


Download SafeUM — communicate privately, without advertising and spam.

Tags:
fraud information leaks Google trojan
Source:
BleepingComputer
1790
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015