SEO Poisoning Campaigns Target Browser Installers and Crypto Sites, Spreading Poseidon, GhostRAT & More

SEO Poisoning Campaigns Target Browser Installers and Crypto Sites, Spreading Poseidon, GhostRAT & More

Published on

Published on

Published on

Jul 16, 2024

Jul 16, 2024

Jul 16, 2024

SEO Poisoning Campaigns Target Browser Installers and Crypto Sites, Spreading Poseidon, GhostRAT & More
SEO Poisoning Campaigns Target Browser Installers and Crypto Sites, Spreading Poseidon, GhostRAT & More
SEO Poisoning Campaigns Target Browser Installers and Crypto Sites, Spreading Poseidon, GhostRAT & More
TABLE OF CONTENTS

The Hunt Research Team recently stumbled upon Search Engine Optimization (SEO) poisoning campaigns posing as install sites for popular software. These attacks exploit users’ trust by crafting near-identical lookalike domains, often differing by only a single character.

SEO poisoning is a form of malvertising in which attackers use typosquatting, redirects, and keywords to convince search engine algorithms that a site is trustworthy and valuable to users.

In this blog post, we will explore instances of websites masquerading as well-known software, including Signal, TradingView, and Sleipnir web browser. The attackers meticulously designed the download pages to appear legitimate; one site even featured a News section with an “article” detailing browser updates, attempting to boost the site's appearance of authenticity.

Fraudulent Sleipnir Browser Download

Sleipnir, named after an animal from Norse mythology, is a web browser developed by Fenrir Inc., a Japanese company. Performing a search in Microsoft Bing returns the malicious site sleipnirbrowser_org (notice the spelling of the title) within the first 5 results.

https://app.hunt.io/images/blogs/seo-poisoning/figure_1.webp
Figure 1: Search Results for Sleipnir web browser in Bing (10 July 2024)

Navigating to the malicious domain, which resolves to 185.149.120_235,
directs us to a webpage that, despite its stylish and well-developed appearance (Figure 2), significantly diverges from the legitimate install page hosted by the actual developer (Figure 3).

https://app.hunt.io/images/blogs/seo-poisoning/figure_2.webp
Figure 2: Malicious Sleipnir install page

 
https://app.hunt.io/images/blogs/seo-poisoning/figure_3.webp

Figure 3: Legitimate download page for Sleipnir browser

Clicking on the “Download Now” button in Figure 2 presents the user with two install options: Mac OS and Windows.

We will focus on the Mac installer today. The hash for the PE file, which is about 600 MB in size, can be found in the Observables section at the end of this post.
https://app.hunt.io/images/blogs/seo-poisoning/figure_4.webp

Figure 4: Screenshot of browser download options

The file Sleipnir_setup.dmg (SHA-1: 7f9f68c91675e06745c7567d3baa563616fe8b7d) has no file icon but follows the typical installation process for Mac OS apps, leaving users unaware that their system is infected.

Analyzing the DMG in Hatching Triage, we see a large hex-encoded Apple Script resembling Poseidon/AMOS/Rodrigo stealer. In this case, the IP used for exfil, 79.137.192_4, matched a report by Malwarebytes in a similar campaign targeting Mac users with fake browser installs.

A screenshot of the script, including the botnet panel address http://79.137.192_4/p2p, can be seen below.

https://app.hunt.io/images/blogs/seo-poisoning/figure_5.webp
Figure 5: Snippet of AppleScript, including botnet panel (Source: Hatching Triage)

Investing & Crypto Installers

The following section details typosquatting domains targeting Chinese-language users through malicious search results. Among the affected are TradingView, an app for traders and investors, and AICoin, a digital currency platform.

https://app.hunt.io/images/blogs/seo-poisoning/figure_6.webp
Figure 6: Fake TradingView domain directly underneath the legitimate site.

 
https://app.hunt.io/images/blogs/seo-poisoning/figure_7.webp

Figure 7: (2) Typosquatted domains enclosed identified by red squares

These malicious domains, all resolving to the IP address 202.61.84_154 in Hong Kong, mimic numerous well-known brands such as Signal, CloudChat, and Lets Talk, as shown in Figure 8. We will first explore the fraudulent TradingView page before examining the fake AICoin installer.

https://app.hunt.io/images/blogs/seo-poisoning/figure_8.webp
Figure 8: Hunt domain view of IP hosting malicious domains

The fake TradingView webpage is almost a replica of the legitimate domain, except that many of the links were removed, only leaving download buttons for Windows, Mac OS, and Linux apps.

https://app.hunt.io/images/blogs/seo-poisoning/figure_9.webp
Figure 9: Screenshot of malicious TradingView website

Clicking on any of the buttons, regardless of the User-Agent, results in downloading a file named “TradingView.zip” SHA-1 hash: b91d8478178eb80c1b490fe62fa534aaef47c154 from the domain dabn36stqwe50.cloudfront_net. Unzipping the file drops a C/C++ portable executable simply named “TradingView.exe” SHA-1 hash: 71b510fa5dc20fd55218c1decf3db65b0f4c9377.

Vendor detections in VirusTotal are unable to come up with a malware family, but the EXE is categorized as a trojan.

https://app.hunt.io/images/blogs/seo-poisoning/figure_10.webp
Figure 10: VirusTotal results for tradingview.exe (Source: VirusTotal)

Network analysis of the sample reveals that a TCP request is made to a.dowm3_com, which resolves to 154.89.127_249, port 11670. No further information is available at this time as the port appears to no longer respond to requests.

AICoin

https://app.hunt.io/images/blogs/seo-poisoning/figure_11.webp
Figure 11: Malicious domains spoofing AICoin, with the legit site at the top

The domain aicoin_la/zh-CN distributes malicious downloads for Android and Mac OS. Interestingly, the Windows download redirects to the actual AICoin website, so it can be assumed that this is a targeted attack on those users. The same page in English hosts the same suspicious download buttons at aicoin_la/en.

*The QR codes were not analyzed as part of this blog post.
https://app.hunt.io/images/blogs/seo-poisoning/figure_12.webp

Figure 12: Screenshot of aicoin_la install page

The APK file, aicoin.apk SHA-1: 7c73f1df9d1f9708bcf84617c52ef3c4fe9ce87c, is self-hosted on the same server as the site. Alternatively, aicoin.dmg SHA-1: 91ddde751f30248348d70511de79ec394d5ed33f is downloaded from aicoin-app.oss-cn-shenzhen.aliyuncs_com.

As of this writing, VirusTotal and Hatching Triage mark the DMG file as clean, although it has some questionable behavior regarding system information discovery.

The APK file is scored as malicious by 5 VirusTotal vendors and again categorized as a trojan.
https://app.hunt.io/images/blogs/seo-poisoning/figure_13.webp

Figure 13: VirusTotal results of aicoin.apk (Source: VirusTotal)

Signal Gh0stRAT

The final malicious webpage we will look at targets the Signal messaging app. The threat actor used keywords to get their domain to the top of the results. Figure 14 below shows multiple references to the word “signal” along with Chinese-language characters.

Translating the text to English reads “download signal chat software download - signal download signal.”
https://app.hunt.io/images/blogs/seo-poisoning/figure_14.webp

Figure 14: SEO poisoning through keywords makes the domain appear at the top of the results

The ‘download signal’ keyword is a great example of how threat actors can get their malicious installers returned at the top of the list, even with a domain that doesn’t resemble the software.

Despite the domain name bbd.fredde_cn, the webpage in Figure 15 is believable. In a recurring theme, although multiple download buttons are presented, the only file available for download is ‘SignalSetup.msi’ SHA-1:
3426ce901e21b195e4609153c509b595b71edeb2.
https://app.hunt.io/images/blogs/seo-poisoning/figure_15.webp

Figure 15: Screenshot of malicious Signal install page

The .msi file reaches out to the domain hehua.cookielive_top which resolves to 154.197.49_2 on port 3190. Hatching Triage identifies the file as a Gh0stRAT variant, while only one vendor scores the file as malicious in VirusTotal.
https://app.hunt.io/images/blogs/seo-poisoning/figure_16.webp

Figure 16: Hatching Triage file analysis (Source: Triage)

Conclusion

This article discussed how cybercriminals leverage SEO poisoning to distribute malware such as Poseidon and GhostRAT via seemingly legitimate search results. The highlighted examples showcase the relatively low barrier to entry and the widespread nature of these attacks, emphasizing the need for heightened vigilance.

Individuals and organizations should consider implementing security measures, such as regular security assessments, user education, and approved software policies, to defend against these evolving threats.

Observables

Indicator TypeDetails
Sleipnir
Browser
Malicious Domain: sleipnirbrowser_org, 185.149.120_235
Poseidon/Rodrigo/AMOS C2: 79.137.192_4
TradingViewMalicious Domain: tradingviewzh-cn_com, 202.61.84_154
Download URL: dabn36stqwe50.cloudfront_net/tradingview.zip
Contacted Host: a.dowm3_com, 154.89.127_249
AICoinMalicious Domain: aicoin.la/zh-CN, 202.61.84_154
DMG Download:
aicoin-app.oss-cn-shenzhen.aliyuncs_com/aicoin.dmg
SignalMalicious Domain: bbd.fredde_cn
Contacted Host: hehua.cookielive_top, 154.197.49_2
TABLE OF CONTENTS

The Hunt Research Team recently stumbled upon Search Engine Optimization (SEO) poisoning campaigns posing as install sites for popular software. These attacks exploit users’ trust by crafting near-identical lookalike domains, often differing by only a single character.

SEO poisoning is a form of malvertising in which attackers use typosquatting, redirects, and keywords to convince search engine algorithms that a site is trustworthy and valuable to users.

In this blog post, we will explore instances of websites masquerading as well-known software, including Signal, TradingView, and Sleipnir web browser. The attackers meticulously designed the download pages to appear legitimate; one site even featured a News section with an “article” detailing browser updates, attempting to boost the site's appearance of authenticity.

Fraudulent Sleipnir Browser Download

Sleipnir, named after an animal from Norse mythology, is a web browser developed by Fenrir Inc., a Japanese company. Performing a search in Microsoft Bing returns the malicious site sleipnirbrowser_org (notice the spelling of the title) within the first 5 results.

https://app.hunt.io/images/blogs/seo-poisoning/figure_1.webp
Figure 1: Search Results for Sleipnir web browser in Bing (10 July 2024)

Navigating to the malicious domain, which resolves to 185.149.120_235,
directs us to a webpage that, despite its stylish and well-developed appearance (Figure 2), significantly diverges from the legitimate install page hosted by the actual developer (Figure 3).

https://app.hunt.io/images/blogs/seo-poisoning/figure_2.webp
Figure 2: Malicious Sleipnir install page

 
https://app.hunt.io/images/blogs/seo-poisoning/figure_3.webp

Figure 3: Legitimate download page for Sleipnir browser

Clicking on the “Download Now” button in Figure 2 presents the user with two install options: Mac OS and Windows.

We will focus on the Mac installer today. The hash for the PE file, which is about 600 MB in size, can be found in the Observables section at the end of this post.
https://app.hunt.io/images/blogs/seo-poisoning/figure_4.webp

Figure 4: Screenshot of browser download options

The file Sleipnir_setup.dmg (SHA-1: 7f9f68c91675e06745c7567d3baa563616fe8b7d) has no file icon but follows the typical installation process for Mac OS apps, leaving users unaware that their system is infected.

Analyzing the DMG in Hatching Triage, we see a large hex-encoded Apple Script resembling Poseidon/AMOS/Rodrigo stealer. In this case, the IP used for exfil, 79.137.192_4, matched a report by Malwarebytes in a similar campaign targeting Mac users with fake browser installs.

A screenshot of the script, including the botnet panel address http://79.137.192_4/p2p, can be seen below.

https://app.hunt.io/images/blogs/seo-poisoning/figure_5.webp
Figure 5: Snippet of AppleScript, including botnet panel (Source: Hatching Triage)

Investing & Crypto Installers

The following section details typosquatting domains targeting Chinese-language users through malicious search results. Among the affected are TradingView, an app for traders and investors, and AICoin, a digital currency platform.

https://app.hunt.io/images/blogs/seo-poisoning/figure_6.webp
Figure 6: Fake TradingView domain directly underneath the legitimate site.

 
https://app.hunt.io/images/blogs/seo-poisoning/figure_7.webp

Figure 7: (2) Typosquatted domains enclosed identified by red squares

These malicious domains, all resolving to the IP address 202.61.84_154 in Hong Kong, mimic numerous well-known brands such as Signal, CloudChat, and Lets Talk, as shown in Figure 8. We will first explore the fraudulent TradingView page before examining the fake AICoin installer.

https://app.hunt.io/images/blogs/seo-poisoning/figure_8.webp
Figure 8: Hunt domain view of IP hosting malicious domains

The fake TradingView webpage is almost a replica of the legitimate domain, except that many of the links were removed, only leaving download buttons for Windows, Mac OS, and Linux apps.

https://app.hunt.io/images/blogs/seo-poisoning/figure_9.webp
Figure 9: Screenshot of malicious TradingView website

Clicking on any of the buttons, regardless of the User-Agent, results in downloading a file named “TradingView.zip” SHA-1 hash: b91d8478178eb80c1b490fe62fa534aaef47c154 from the domain dabn36stqwe50.cloudfront_net. Unzipping the file drops a C/C++ portable executable simply named “TradingView.exe” SHA-1 hash: 71b510fa5dc20fd55218c1decf3db65b0f4c9377.

Vendor detections in VirusTotal are unable to come up with a malware family, but the EXE is categorized as a trojan.

https://app.hunt.io/images/blogs/seo-poisoning/figure_10.webp
Figure 10: VirusTotal results for tradingview.exe (Source: VirusTotal)

Network analysis of the sample reveals that a TCP request is made to a.dowm3_com, which resolves to 154.89.127_249, port 11670. No further information is available at this time as the port appears to no longer respond to requests.

AICoin

https://app.hunt.io/images/blogs/seo-poisoning/figure_11.webp
Figure 11: Malicious domains spoofing AICoin, with the legit site at the top

The domain aicoin_la/zh-CN distributes malicious downloads for Android and Mac OS. Interestingly, the Windows download redirects to the actual AICoin website, so it can be assumed that this is a targeted attack on those users. The same page in English hosts the same suspicious download buttons at aicoin_la/en.

*The QR codes were not analyzed as part of this blog post.
https://app.hunt.io/images/blogs/seo-poisoning/figure_12.webp

Figure 12: Screenshot of aicoin_la install page

The APK file, aicoin.apk SHA-1: 7c73f1df9d1f9708bcf84617c52ef3c4fe9ce87c, is self-hosted on the same server as the site. Alternatively, aicoin.dmg SHA-1: 91ddde751f30248348d70511de79ec394d5ed33f is downloaded from aicoin-app.oss-cn-shenzhen.aliyuncs_com.

As of this writing, VirusTotal and Hatching Triage mark the DMG file as clean, although it has some questionable behavior regarding system information discovery.

The APK file is scored as malicious by 5 VirusTotal vendors and again categorized as a trojan.
https://app.hunt.io/images/blogs/seo-poisoning/figure_13.webp

Figure 13: VirusTotal results of aicoin.apk (Source: VirusTotal)

Signal Gh0stRAT

The final malicious webpage we will look at targets the Signal messaging app. The threat actor used keywords to get their domain to the top of the results. Figure 14 below shows multiple references to the word “signal” along with Chinese-language characters.

Translating the text to English reads “download signal chat software download - signal download signal.”
https://app.hunt.io/images/blogs/seo-poisoning/figure_14.webp

Figure 14: SEO poisoning through keywords makes the domain appear at the top of the results

The ‘download signal’ keyword is a great example of how threat actors can get their malicious installers returned at the top of the list, even with a domain that doesn’t resemble the software.

Despite the domain name bbd.fredde_cn, the webpage in Figure 15 is believable. In a recurring theme, although multiple download buttons are presented, the only file available for download is ‘SignalSetup.msi’ SHA-1:
3426ce901e21b195e4609153c509b595b71edeb2.
https://app.hunt.io/images/blogs/seo-poisoning/figure_15.webp

Figure 15: Screenshot of malicious Signal install page

The .msi file reaches out to the domain hehua.cookielive_top which resolves to 154.197.49_2 on port 3190. Hatching Triage identifies the file as a Gh0stRAT variant, while only one vendor scores the file as malicious in VirusTotal.
https://app.hunt.io/images/blogs/seo-poisoning/figure_16.webp

Figure 16: Hatching Triage file analysis (Source: Triage)

Conclusion

This article discussed how cybercriminals leverage SEO poisoning to distribute malware such as Poseidon and GhostRAT via seemingly legitimate search results. The highlighted examples showcase the relatively low barrier to entry and the widespread nature of these attacks, emphasizing the need for heightened vigilance.

Individuals and organizations should consider implementing security measures, such as regular security assessments, user education, and approved software policies, to defend against these evolving threats.

Observables

Indicator TypeDetails
Sleipnir
Browser
Malicious Domain: sleipnirbrowser_org, 185.149.120_235
Poseidon/Rodrigo/AMOS C2: 79.137.192_4
TradingViewMalicious Domain: tradingviewzh-cn_com, 202.61.84_154
Download URL: dabn36stqwe50.cloudfront_net/tradingview.zip
Contacted Host: a.dowm3_com, 154.89.127_249
AICoinMalicious Domain: aicoin.la/zh-CN, 202.61.84_154
DMG Download:
aicoin-app.oss-cn-shenzhen.aliyuncs_com/aicoin.dmg
SignalMalicious Domain: bbd.fredde_cn
Contacted Host: hehua.cookielive_top, 154.197.49_2

Related Posts:

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.