Attackers are leveraging a clever SEO poisoning attack to target Chinese-speaking users, manipulating search results to trick them into downloading malware. By creating fake websites that look like legitimate software download sites, they’re able to lure unsuspecting users. The attackers use slight changes to domain names and boost these fake sites’ rankings in search results, making them appear trustworthy. Once a user visits one of these sites, they are prompted to download what they think is a legitimate application, but the installer also secretly contains hidden malware, which makes it harder for security tools to detect.
A key part of the campaign is a script called “nice.js,” which handles a complex chain of redirects to deliver the malicious installer to the user. Researchers analyzing a fake DeepL installer found that the malware, which included files like “EnumW.dll,” was specifically designed to evade detection. It checks if it’s running in a safe testing environment and validates whether it was launched correctly before deploying its hidden components. The malware also adapts its behavior if it detects common antivirus software like 360 Total Security, further complicating its discovery.
After passing these checks, the malware establishes persistence on the victim’s system. It can create new files and set up various ways to ensure it remains active, even after a system reboot. This allows it to perform its malicious functions for an extended period. According to cybersecurity experts, this type of SEO poisoning campaign is so effective because it leverages users’ trust in top-ranking search results. It’s essentially a scalable way for attackers to direct people to sites loaded with malware.
Once it’s fully operational, the final malware payload can do a lot of damage. It continuously monitors the victim’s system, collecting data, logging keystrokes, and even hijacking cryptocurrency wallets. It can also communicate with the attackers’ command-and-control servers to receive new instructions or update its configuration. Researchers also found plugins suggesting the malware is particularly interested in intercepting Telegram activity and monitoring the user’s screen.
The malware families used in this campaign have been identified as variants of Hiddengh0st and Winos. Because the stolen information can be used for future attacks, the overall threat is considered high. To protect against these types of attacks, security experts recommend that organizations implement multi-language security training, use DNS filtering to block malicious sites, and enforce strict policies for where employees can download software.
Reference:
