Batloader and Atera Agent malware were discovered in an SEO poisoning effort. Professionals looking for useful tools are the intended audience (e.g. Visual Studio, Zoom, and TeamViewer).
What SEO strategies are used?
By ranking bogus sites for the most searched phrases on Google, attackers use SEO tactics to skew search results. Hackers are targeting Microsoft Visual Studio 2015, Zoom, and TeamViewer in this case, among others.
When a visitor clicks on the malicious search results link, they are taken to a site that has already been infiltrated and has a Traffic Direction System installed (TDS).
Following the reroute, the site displays a bogus forum discussion in which a person inquires about a specific programme and another bogus user offers a download link.
When you click the download link, a bundled malware installer with the name of the desired application is created. People fall for it because of the software’s validity, which is true in most circumstances.
Infection with malware
Two distinct infection chains drop malware payloads on the machine if the downloaded installer is active.
The initial infection chain bundles BATLOADER, Atera Agent, and Ursnif with false software. The ATERA Agent is dropped without the malware loading steps in the second infection.
MSHTA was also used in the first infection chain to run a genuine Windows DLL (AppResolver) loaded with malicious VBScript to tamper with Defender settings and add particular exclusions.
The Conti relationship
Some of the strategies used in the campaigns, according to the researchers, are similar to those in the Conti playbooks, which were leaked in August 2020 and then reproduced by numerous groups and individuals.
Conclusion
Indirectly, the latest campaign demonstrates the need for data to target professionals. Furthermore, it is never a good idea to download productivity programmes from third-party stores and websites. As a result, when downloading software or programmes, always utilise reputable anti-malware solutions and approved sources.