Tomcat
Professional
- Messages
- 2,688
- Reaction score
- 1,015
- Points
- 113
Cybercriminals did not create their own malicious sites, but hacked legitimate WordPress portals.
Cybersecurity researchers at Menlo Security have discovered two malicious campaigns, Gootloader and SolarMarket, associated with operators of the ransomware REvil. The attacks use so-called SEO poisoning to install payloads on victims' systems.
This technique involves using search engine optimization mechanisms to draw more attention to malicious sites or to make uploaders more visible in search results. Due to their high search rankings, malicious sites appear legitimate, thus attracting a large number of victims.
Operators of malicious campaigns have entered keywords on their sites that cover more than 2,000 unique search queries, including "sports psychological toughness", "industrial hygiene review", "five levels of professional development assessment", etc. Sites optimized in this way are displayed in search results as PDF files. Site visitors are prompted to download the document, and after being redirected through a series of sites, the malware is loaded onto the user's system. Attackers use redirects to prevent their sites from being removed from search results.
During these campaigns, cybercriminals installed REvil ransomware through Gootloader and SolarMarker backdoors. Cybercriminals did not create their own malicious sites, but instead hacked legitimate WordPress portals that already ranked well on Google.
Business sites are primarily targeted by attackers, probably because they often host PDFs in the form of manuals and reports. The sites were hacked by exploiting a vulnerability in the WordPress Formidable Forms plugin that hackers used to upload a special PDF file to the "/ wp-content / uploads / formidable /" folder.
Users of this plugin are recommended to upgrade to version 5.0.10 or later.
Cybersecurity researchers at Menlo Security have discovered two malicious campaigns, Gootloader and SolarMarket, associated with operators of the ransomware REvil. The attacks use so-called SEO poisoning to install payloads on victims' systems.
This technique involves using search engine optimization mechanisms to draw more attention to malicious sites or to make uploaders more visible in search results. Due to their high search rankings, malicious sites appear legitimate, thus attracting a large number of victims.
Operators of malicious campaigns have entered keywords on their sites that cover more than 2,000 unique search queries, including "sports psychological toughness", "industrial hygiene review", "five levels of professional development assessment", etc. Sites optimized in this way are displayed in search results as PDF files. Site visitors are prompted to download the document, and after being redirected through a series of sites, the malware is loaded onto the user's system. Attackers use redirects to prevent their sites from being removed from search results.
During these campaigns, cybercriminals installed REvil ransomware through Gootloader and SolarMarker backdoors. Cybercriminals did not create their own malicious sites, but instead hacked legitimate WordPress portals that already ranked well on Google.
Business sites are primarily targeted by attackers, probably because they often host PDFs in the form of manuals and reports. The sites were hacked by exploiting a vulnerability in the WordPress Formidable Forms plugin that hackers used to upload a special PDF file to the "/ wp-content / uploads / formidable /" folder.
Users of this plugin are recommended to upgrade to version 5.0.10 or later.
