SEO Poisoning to Distribute Malware Disguised as Legitimate Software Installers

Mandiant has identified a campaign that uses fake software installers for free productivity apps such as Zoom, Team Viewer, and Visual Studio to distribute Batloader, Ursnif, and Atera Agent malware. The campaign uses search engine optimization (SEO) poisoning to get web pages listed high in the search engine listings for certain search terms to drive traffic to the pages offering the software downloads. The researchers report that the campaign has targeted the search terms “free productivity apps installation” and “free software development tools installation,” and targets companies.

The web pages include links to malicious websites that host the malware-laced installers, with the landing pages using a Traffic Direction System (TDS) to determine whether the visitor should be directed to a legitimate webpage where they can download the installer or a malicious webpage. Visitors are only directed to the malicious web page if they have arrived from a search engine search. This technique is intended to prevent security researchers from identifying the campaign.

When victims land on the web pages to download the installers, legitimate software is provided as requested, but the installers also deliver Batloader malware. When the software installer is executed, Batloader malware is dropped and executed. Batloader is the first stage in a multi-stage infection process, which provides the attackers with initial access to a device. The attackers use living-of-the-land techniques that allow proxy execution of malicious payloads, including PowerShell, Msiexec.exe, and Mshta.exe. This approach helps the attacker avoid being detected by security solutions.

Batloader has been observed delivering and executing other payloads like the Ursnif banking Trojan and BEACON, along with legitimate tools to support remote access, privilege escalation, encryption, persistence, and payload launching. Atera Agent is also delivered and is used for lateral movement and more extensive compromises, including ransomware attacks

Mandiant identified attacks that use Mshta.exe to execute a Windows DLL that includes a malicious VBScript. The script makes changes to Windows Defender to add certain exceptions to ensure the attack is not detected. The VBScript has been added in a way that keeps the code signature valid. If the DLL file is run by itself, the VBScript is not executed. The VBScript only executes when run using Mshta.exe. Mandiant identified an alternate infection process that delivers Atera Agent directly via Google for free developer software or software cracks.

While it is currently unclear who is behind the campaign, Mandiant identified similarities to Conti ransomware attacks. In August 2021, a disgruntled Conti ransomware affiliate leaked documents, training material, and playbooks developed by the gang, and some of the activity in this campaign overlaps with those playbooks. While that could suggest the Conti gang is behind the campaign, the material was put in the public domain so other, unaffiliated actors could have replicated some of the techniques to achieve their own aims.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of