SEO Poisoning Campaigns Target Browser Installers and Crypto Sites, Spreading Poseidon, GhostRAT & More

The Hunt Research Team recently stumbled upon Search Engine Optimization (SEO) poisoning campaigns posing as install sites for popular software. These attacks exploit users’ trust by crafting near-identical lookalike domains, often differing by only a single character.

SEO poisoning is a form of malvertising in which attackers use typosquatting, redirects, and keywords to convince search engine algorithms that a site is trustworthy and valuable to users.

In this blog post, we will explore instances of websites masquerading as well-known software, including Signal, TradingView, and Sleipnir web browser. The attackers meticulously designed the download pages to appear legitimate; one site even featured a News section with an “article” detailing browser updates, attempting to boost the site's appearance of authenticity.

Fraudulent Sleipnir Browser Download

Sleipnir, named after an animal from Norse mythology, is a web browser developed by Fenrir Inc., a Japanese company. Performing a search in Microsoft Bing returns the malicious site sleipnirbrowser_org (notice the spelling of the title) within the first 5 results.

Navigating to the malicious domain, which resolves to 185.149.120_235,
directs us to a webpage that, despite its stylish and well-developed appearance (Figure 2), significantly diverges from the legitimate install page hosted by the actual developer (Figure 3).

Clicking on the “Download Now” button in Figure 2 presents the user with two install options: Mac OS and Windows.

We will focus on the Mac installer today. The hash for the PE file, which is about 600 MB in size, can be found in the Observables section at the end of this post.

The file Sleipnir_setup.dmg (SHA-1: 7f9f68c91675e06745c7567d3baa563616fe8b7d) has no file icon but follows the typical installation process for Mac OS apps, leaving users unaware that their system is infected.

Analyzing the DMG in Hatching Triage, we see a large hex-encoded Apple Script resembling Poseidon/AMOS/Rodrigo stealer. In this case, the IP used for exfil, 79.137.192_4, matched a report by Malwarebytes in a similar campaign targeting Mac users with fake browser installs.

A screenshot of the script, including the botnet panel address http://79.137.192_4/p2p, can be seen below.

Investing & Crypto Installers

The following section details typosquatting domains targeting Chinese-language users through malicious search results. Among the affected are TradingView, an app for traders and investors, and AICoin, a digital currency platform.

These malicious domains, all resolving to the IP address 202.61.84_154 in Hong Kong, mimic numerous well-known brands such as Signal, CloudChat, and Lets Talk, as shown in Figure 8. We will first explore the fraudulent TradingView page before examining the fake AICoin installer.

The fake TradingView webpage is almost a replica of the legitimate domain, except that many of the links were removed, only leaving download buttons for Windows, Mac OS, and Linux apps.

Clicking on any of the buttons, regardless of the User-Agent, results in downloading a file named “TradingView.zip” SHA-1 hash: b91d8478178eb80c1b490fe62fa534aaef47c154 from the domain dabn36stqwe50.cloudfront_net. Unzipping the file drops a C/C++ portable executable simply named “TradingView.exe” SHA-1 hash: 71b510fa5dc20fd55218c1decf3db65b0f4c9377.

Vendor detections in VirusTotal are unable to come up with a malware family, but the EXE is categorized as a trojan.

Network analysis of the sample reveals that a TCP request is made to a.dowm3_com, which resolves to 154.89.127_249, port 11670. No further information is available at this time as the port appears to no longer respond to requests.

AICoin

The domain aicoin_la/zh-CN distributes malicious downloads for Android and Mac OS. Interestingly, the Windows download redirects to the actual AICoin website, so it can be assumed that this is a targeted attack on those users. The same page in English hosts the same suspicious download buttons at aicoin_la/en.

*The QR codes were not analyzed as part of this blog post.

The APK file, aicoin.apk SHA-1: 7c73f1df9d1f9708bcf84617c52ef3c4fe9ce87c, is self-hosted on the same server as the site. Alternatively, aicoin.dmg SHA-1: 91ddde751f30248348d70511de79ec394d5ed33f is downloaded from aicoin-app.oss-cn-shenzhen.aliyuncs_com.

As of this writing, VirusTotal and Hatching Triage mark the DMG file as clean, although it has some questionable behavior regarding system information discovery.

The APK file is scored as malicious by 5 VirusTotal vendors and again categorized as a trojan.

Signal Gh0stRAT

The final malicious webpage we will look at targets the Signal messaging app. The threat actor used keywords to get their domain to the top of the results. Figure 14 below shows multiple references to the word “signal” along with Chinese-language characters.

Translating the text to English reads “download signal chat software download - signal download signal.”

The ‘download signal’ keyword is a great example of how threat actors can get their malicious installers returned at the top of the list, even with a domain that doesn’t resemble the software.

Despite the domain name bbd.fredde_cn, the webpage in Figure 15 is believable. In a recurring theme, although multiple download buttons are presented, the only file available for download is ‘SignalSetup.msi’ SHA-1:
3426ce901e21b195e4609153c509b595b71edeb2.

The .msi file reaches out to the domain hehua.cookielive_top which resolves to 154.197.49_2 on port 3190. Hatching Triage identifies the file as a Gh0stRAT variant, while only one vendor scores the file as malicious in VirusTotal.

Conclusion

This article discussed how cybercriminals leverage SEO poisoning to distribute malware such as Poseidon and GhostRAT via seemingly legitimate search results. The highlighted examples showcase the relatively low barrier to entry and the widespread nature of these attacks, emphasizing the need for heightened vigilance.

Individuals and organizations should consider implementing security measures, such as regular security assessments, user education, and approved software policies, to defend against these evolving threats.

Observables