Have you ever thought about what role search engine optimization (SEO) might play in a cyber attack?
Generally, it is used to tune the search results of websites on any search engine. The more the optimization, the better the chances of getting the webpage in the search results.
There has been a particular kind of attack which leverages this and it has been happening for a while now. Torrents are popular for media and other large files. People often go there to download movies or softwares that are not open source.
Attackers observed this trend and came up with an idea for an attack. This is not a new technique that has appeared overnight, but it has been around for a number of years.
Let’s see how this attack works.
First, the attacker creates a torrent file that contains the malware. Generally, document malware comes via phishing emails, but in this case, recipients would be suspicious if they get the torrent file as an attachment. So, they need a different way of delivering it.
Attackers compromise WordPress sites and host multiple malicious pages which contain the torrent file. These pages have good search results. This attack usually targets a different demographic.
Example page:
The content may differ from page to page but the torrent file is usually the same. Here it is about a movie. On another page, it might be about a different movie or bootlegged software. Every page will have a download button that can download the torrent file. This is hosted on the same site. Unknown to the user, this file contains the pointer to a malware.
We have observed that all these pages are hosted on compromised WordPress websites.
In the past, we saw a huge number of spam pages that are being hosted on WordPress sites, but this time it was something different. Instead of several spam pages, all the pages have content that is coherently organized, but contains malware.
When you observe the page, you can see that there are some pictures hosted that are related to the content. There are quite a few pictures uploaded on the website, which tells us that they have hosted that many pages with different content.
The screenshots below are just a small sample of what has been hosted there.
However, the attack isn’t fully complete here. It has to reach the people for the attack to fully execute.
This is where SEO comes into play. We see that the pages are a little more popular than we thought! The screenshot below depicts this clearly.
When a user ideally wants to find a movie or software on torrent, he would go on Google and type in something like this – “movie-name download torrent” or “movie name torrent”
Search results have been optimized to display multiple results and multiple domains containing the same page near the top of the results list. These are the pages which are hosted on a compromised website.
Let’s see what malware is being hosted. We can download the sample using a torrent client.
We have some interesting stuff here. There is a video file (.mpg) of 800 Mb which doesn’t have the movie.
And “75095_VTS.srt” isn’t an srt file but rather an executable file that, when uploaded in virustotal, was not detected.
Let’s look at the other file: the .bat file here will decrypt the srt file. When decoded, it creates another executable file and runs it. (See the screenshot below.)
A file named 75095_VTS_tmp.srt is created here.
When we look at the newly created file in VirusTotal, we can see that it is a trojan.
Isn’t it amazing how a small thing that we already know, can be combined and made into a big attack? SEO has played a major part here. Without it, the attack could not have been successful.
Fortunately, there are ways to counter this. Using anti-virus engines, Cisco Secure Endpoint (AMP for Endpoints), and sandboxing from Cisco Threat Grid, Cisco Umbrella can identify and stop access to malicious torrent files. It takes advantage of intelligence from millions of new malware samples analyzed daily for the most effective defense against malicious files.
Cisco Umbrella continuously monitors cyber-space for the DNS infrastructures, IP networks, and malware used in current and former attacks. Our 100% proprietary security analytics provide the spatial and temporal relationships between every domain name, IP address, malware files, and networks — ultimately, uncovering when and where on the internet new cyber attacks, like these compromised WordPress pages, are being staged.
The lure of easy media downloads is strong. However, nothing comes for free. It helps to have an alert system, informed, and at the ready.
IOCS:
https://pastebin.com/ckntXJbF
https://pastebin.com/rgKq6DwJ
https://pastebin.com/BL3S8kT0
