Cybersecurity researchers have observed two different campaigns linked to SolarMarker backdoor or the nefarious ransomware gang, REvil, that utilises search engine optimisation (SEO) poisoning to serve up malicious payloads to victims.

SEO poisoning, also commonly known as “search poisoning”, is a type of attack that takes advantage of optimising websites employing black hat-style SEO techniques to improve their ranking higher in search results of engines like Google.

On account of their high ranking, unsuspecting victims who land on these dangerous sites believe them to be legitimate, and threat actors receive a heavy influx of unwitting visitors who are seeking sites via specific keywords.

Search engine optimisation for ransomware

The Menlo Security researchers discovered that SEO poisoning from malware distributors is now on the rise. Two examples of note to support this belief are campaigns known as SolarMarket and Gootloader.

The threat operators inject websites with keywords that can cover over 2,000 different search terms. Three recorded examples include “sports mental toughness,” “five levels of professional development evaluation,” and “industrial hygiene walk-through” among many others.

The optimised sites then appear in the search results in PDF format and when visited, summarily prompt users to download an infected document.

When the user clicks on the included download option, they are redirected to a string of different sites that ultimately will deliver a malicious payload.

Threat operators are then able to employ these redirects to stop their bogus sites from being eradicated from search results due to hosting harmful content.

In the two campaigns mentioned earlier, the threat operators were dropping REvil ransomware using the SolarMarker backdoor or Gootloader.

WordPress plugin vulnerabilities

In the cybercriminal campaigns identified by the researchers, the threat operators did not create malicious sites of their own. Instead, they hacked authentic WordPress sites that enjoyed a high Google search ranking to their credit already.

The WordPress websites were hacked by actors abusing an undisclosed weakness in the WordPress plugin known as ‘Formidable Forms’. The hackers used the flaw to upload infected PDF into the plugin’s content folder.

When contemporary encrypting ransomware was first observed in action back in 2012, threat operators would typically cast a wide net for their insidious attacks with the hope of infecting the largest number of victims as possible.

However, times have changed and so have the tactics of ransomware operators. In 2021, today’s ransomware gangs are often targeting high-value organisations in their quest for payments involving millions of pounds. This has led the “spray and pray” method to become for more commonly seen on the cyberthreat landscape, as it often infects unsuitable targets unable to pay substantial ransoms.

However, some ransomware operators affiliated with the REvil gang are less selective when it comes to picking targets. Attacks have been recorded aimed at business of all different sizes from large-scale corporations to small start-ups. Ransoms requested have been observed to be as low as $1,500, with the given amount demanded depending entirely on the operator behind an attack.