BATLOADER Malware Uses SEO Poisoning

Researchers have discovered a search engine optimization poisoning campaign intended to lure users into installing malware on their computers. The campaign works by leveraging various SEO techniques, such as cramming tons of keywords into the source code of various malicious webpages, in order to raise those webpages near the top of the search results for various productivity applications that are free to download.

This campaign has two different infection chains. The first infection chain targets users looking for software bundles. A user who searches for something like “free software development tools installation” may see a compromised website among the search results on the first page and visit that site. If the user downloads and runs the software installer on the compromised site, it will install legitimate software, but bundled with that software is BATLOADER malware.

Once after the installation process, a multi-stage infection chain begins, where each stage involves downloading and executing an additional malicious payload. One of these payloads contains malicious VBScript embedded inside a legitimate internal component of Windows, AppResolver.dll. Despite the malicious VBScript, the DLL sample’s code signature remains valid, which is an issue that Microsoft attempted to address with a patch for CVE-2020-1599.

The second attack chain targets users looking for specific software, rather than software bundles. When a user searches for “free TeamViewer install, users are directed to the malicious website will find a message board with a download link for what appears to be legitimate software, but is really the ATERA Agent Installer Package. ATERA is legitimate Remote Monitoring and Management software, but the threat actors in this case use it to run pre-configured scripts, perform malicious tasks, install persistent malware, and finally uninstall itself, once its work is done.

Some of the attack chain activity overlaps with techniques used in CONTI ransomware  operations. The threat group behind this SEO poisoning campaign may be replicating CONTI techniques, by drawing on training documents, playbooks, and tools that were leaked by a disgruntled CONTI affiliate in August 2021.

Indicators of Compromise

• 1440caafb45e52b0b315c7467fcde11f
• 2077d8a65c8b08d64123c4ba3f03cbdd
• 2141919f65ab3ff4eab25e5032e25598
• 229152f0b00d55796780b00c233bf641
• 29bc15a6f0ff99084e986c3e6ab1208c
• 2b16a731a2e4dedfa3db0bf3068614bc
• 32885d012fa3b50199d7cde9735bcb8a
• 32cd02c4cd8938645a744b915056d133
• 3393bd9d04be1ff4e537464e1b79d078
• 3abbec0420aaf7a9960d9eabc08006d5
• 3e06c87faede153d4dab5ef1066fe0d7
• 3ed96f460438e7fddaa48e96c65cb44c
• 428166c513ed98c72e35fe127a9b5be6
• 48942b45679b3646000ac2fb6a99e0ed
• 5376112bebb371cdbe6b2a996fb6dae6
• 5cae01aea8ed390ce9bec17b6c1237e4
• 5cae01aea8ed390ce9bec17b6c1237e4
• 60db9dff2e50e00e937661d2a6950562
• 67a4f35cae2896e3922f6f4ab5966e2b
• 67a4f35cae2896e3922f6f4ab5966e2b
• 6ad4e37221adf3861bfa99a1c1d5faaa
• 6cd13e6429148e7f076b479664084488
• 7127cbc56e42fc59a09fd9006dd09daa
• 7575ecc5ac5ac568054eb36a5c8656c4
• 849b46e14df68dd687e71c7df8223082
• 8eb5f0bbd73b5ca32e60deb34e435320
• 9ed2084c6c01935dc5bb2508357be5a6
• 9f03ad59cb06b40e6187ef6d22d3b76b
• a046e40693a33a1db2aec6d171d352ce
• a0b793ff07493951ed392cdc641d3d62
• a45c0a83ce2ea52d8edf915b1e169b8f
• b4a8b58857649fad1cf8f247a0496c95
• b850920c95b694f63aa47fc991396457
• b9c9da113335874d0341f0ac1f5e225d
• bd20223cb57c55559db81f17ef616070
• C02916697ed71e5868d8ea456a4a1871
• c08de039a30c3d3e1b1d18a9d353f44c
• c12452167e810cde373d7a59d3302370
• c9be3451e713382ecf0f7da656cef657
• cb1fcc1c0c35cd4e0515b8bf02ba3303
• D14b4a96edf70c74afe3d99101daaff8
• e33847174fbd2b09abc418c1338fceec
• e5decd05056634eace35396a22148bf1
• e66ba648666c823433c473e6cfc2e4fc
• e6c2dd8956074363e7d6708fb8063001
• e6c2dd8956074363e7d6708fb8063001
• f535505f337708fbb41cdd0830c6a2d4