Cybercriminals Using SEO Poisoning To Spread Malware



Batloader and Atera Agent malware were discovered in an SEO poisoning effort. Professionals looking for useful tools are the intended audience (e.g. Visual Studio, Zoom, and TeamViewer).

What SEO strategies are used?

By ranking bogus sites for the most searched phrases on Google, attackers use SEO tactics to skew search results. Hackers are targeting Microsoft Visual Studio 2015, Zoom, and TeamViewer in this case, among others.

When a visitor clicks on the malicious search results link, they are taken to a site that has already been infiltrated and has a Traffic Direction System installed (TDS).


Following the reroute, the site displays a bogus forum discussion in which a person inquires about a specific programme and another bogus user offers a download link.


When you click the download link, a bundled malware installer with the name of the desired application is created. People fall for it because of the software’s validity, which is true in most circumstances.

Infection with malware

Two distinct infection chains drop malware payloads on the machine if the downloaded installer is active.

The initial infection chain bundles BATLOADER, Atera Agent, and Ursnif with false software. The ATERA Agent is dropped without the malware loading steps in the second infection.

MSHTA was also used in the first infection chain to run a genuine Windows DLL (AppResolver) loaded with malicious VBScript to tamper with Defender settings and add particular exclusions.

The Conti relationship

Some of the strategies used in the campaigns, according to the researchers, are similar to those in the Conti playbooks, which were leaked in August 2020 and then reproduced by numerous groups and individuals.



Indirectly, the latest campaign demonstrates the need for data to target professionals. Furthermore, it is never a good idea to download productivity programmes from third-party stores and websites. As a result, when downloading software or programmes, always utilise reputable anti-malware solutions and approved sources.


IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.

This site is under maintenance,
some features might not work!!!