Vulnerabilities / Threats
11/3/2017
12:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Hackers Poison Google Search Results to Deliver Zeus Panda

Threat actors leverage SEO to ensure malicious links rank highly in Google results to infect targets with Trojan.

Most people use Google to search for answers but don't know the results aren't always safe. Attackers have begun to exploit this reliance on Google by using Search Engine Optimization (SEO) to populate search results with malicious links and distribute the Zeus Panda Banking Trojan through a compromised Word document.

SEO enables hackers to make their links more dominant in search results. In this case, attackers are "poisoning" the results for specific keywords related to banking and finance, effectively narrowing their victim pool to a specific group so they can steal financial information.

"SEO poisoning by itself isn't really new," says Earl Carter, threat researcher for Cisco Talos and one of the authors who detailed this discovery. "People have always been trying to manipulate search results. What was unique is they're using it in the distribution of malware."

Based on the keywords used, it seems the attackers are targeting geographic regions. Some examples of targeted keyword searches include "nordea sweden bank account number," "al rajhi bank working hours during ramadan," and "sbi bank recurring deposit form."

In this campaign, hackers used compromised Web servers to ensure malicious links will appear prominently in these searches. Most of the time, they successfully displayed several poisoned links on the first results page. The links seemed unsuspicious because attackers hid their activity under compromised business websites that already had ratings and reviews.

"As user awareness training becomes more common, [users] are less likely to open unexpected attachments, but those same users may be likely to click result number one on a Google result page," says Talos threat researcher Edmund Brumaghin. Researchers checked other search engines and concluded Google is the attackers' key focus.

Users who browse pages hosted on compromised servers kick-start a multi-stage malware infection. The same redirection and infrastructure has been seen in other attacks; for example, fake antivirus and tech support scams in which users are asked to call a phone number.

Ultimately, targets are redirected to a site hosting a malicious Word document. The doc contains malicious macros that execute when users download and click "Enable Content."

What's inside

Researchers determined the malicious payload in this campaign seems to be a new version of the Zeus Panda banking Trojan, which steals sensitive data like banking information. The sample Talos analyzed is a multi-stage malware payload in which the initial stage has several anti-analysis techniques and prolonged execution to evade detection. While its functionality is still the same, the evasion techniques make it harder for reverse engineers to figure out.

This malware first queries the system's keyboard mapping to determine its language, and terminates if it detects Russian, Belarusian, Kazak, or Ukrainian. Earlier analysis of Zeus Panda also revealed it wouldn't run on systems in Russia, Ukraine, Belarus, or Kazakhstan.

Zeus Panda checks to verify whether it's running within hypervisor or sandbox environments including VMware, VirtualPC, VirtualBox, Parallels, Sandboxie, Wine, or SoftIce. Finally, the malware scans for tools commonly used among analysts for investigating malicious software. If any of these checks turn up positive, the malware removes itself from the machine.

Researchers can't say with certainty whether the Zeus Panda threat actors are also behind this campaign. "The same threat actors, over time, constantly try to find new ways to get in," says Carter. "It could be the same guys, it could be different guys."

Alternatively, they say, this distribution mechanism could be the work of threat actors who are "farming it out" to attackers who want to spread different forms of malware, similar to how the Necurs botnet distributes various campaigns via email.

Carter and Brumaghin emphasize the importance of building on user awareness training to include verifying whether links are trusted. Just because a site appeared high in Google search doesn't mean it's safe.

"Make sure you know what site you're going to when you go to a Google result, or result in any search engine, says Brumaghin.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Venomous Crash
50%
50%
Venomous Crash,
User Rank: Apprentice
11/9/2017 | 12:23:36 PM
Impressive
Im Impressed maybe these hacker dare to take my challenge Times running out Tick Tock

 
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.