A recent cybersecurity threat targeting Chinese-speaking Microsoft Windows users has been uncovered by security researchers. This attack, known as a search engine optimization (SEO) poisoning attack, involves manipulating search results to lead users to fraudulent websites that mimic legitimate software providers. These fake websites trick unsuspecting victims into downloading malware disguised as trusted applications.
The attackers behind this campaign registered domains that closely resembled legitimate sites and used subtle character substitutions to deceive users. Once on these spoofed websites, users were prompted to download compromised versions of popular applications. These installers contained both legitimate software and hidden malware, making it difficult to detect infections.
Mayuresh Dani, a security research manager at Qualys Threat Research Unit, explained that the attackers used SEO techniques to boost the visibility of these fake sites in search results, increasing the likelihood of users falling victim to the malware. The malware variants involved in this attack, Hiddengh0st and Winos, were cleverly hidden within legitimate applications to evade security solutions.
One of the key tools used in this campaign was a script called “nice.js,” which managed a multi-step redirection chain to ultimately lead users to download malicious installers. During analysis, researchers focused on a fake DeepL installer that contained malicious components disguised within the setup package.
The malware used in this attack employed anti-analysis tactics to avoid detection, including extensive checks to determine if it was being run in a sandbox environment. Once active, the malware established persistence through various methods such as registry modifications, shortcut creation, and TypeLib hijacking.
The final payload of the malware included modules for continuous monitoring, system data collection, and command-and-control communication. This allowed the attackers to carry out tasks such as keystroke logging, clipboard monitoring, and even cryptocurrency wallet hijacking. Additional plugins indicated a focus on intercepting Telegram activity and screen monitoring.
FortiGuard Labs identified the malware families used in this campaign as Hiddengh0st and Winos variants. The stolen information could potentially be used for further attacks, increasing the overall threat level. To mitigate the risk of falling victim to SEO poisoning campaigns, organizations are advised to implement multilingual security awareness training, deploy DNS filtering, enforce browser security mechanisms, and establish verified software download policies.
By staying vigilant and taking proactive security measures, users can protect themselves from falling prey to malicious attacks like SEO poisoning.