Cyber crooks are using a clever approach to deliver banking malware to the right victims: they are poisoning the search results for specific banking-related keywords.
“By targeting primarily financial-related keyword searches and ensuring that their malicious results are displayed, the attacker can attempt to maximize the conversion rate of their infections as they can be confident that infected users will be regularly using various financial platforms and thus will enable the attacker to quickly obtain credentials, banking and credit card information, etc,” Cisco Talos researchers noted.
Targeted search keyword combinations include “nordea sweden bank account number”, “how to cancel a cheque commonwealth bank”, “al rajhi bank working hours during ramadan”, “free online books for bank clerk exam”, “bank of baroda account balance check”, and so on.
The poisoned search result seem appropriate and benign, because the crooks have compromised legitimate websites that have been rated positively by many users:
The document is downloaded automatically, and the victims are prompted to open the file. If they do, they are prompted to “Enable Editing” and click “Enable Content”. This triggers the execution of a malicious macro, which finally downloads and executes the malware – in this case, a variant of the Zeus Panda banking Trojan – in several stages.
The malware does not run and removes itself if the target system uses the Russian, Belarusian, Ukrainian, or Kazakh language; if it detects that it is running in a virtual or sandbox environment; or if it detects the presence of one of a number of tools and utilities that malware analysts usually run when analyzing malware.
It also uses many techniques that makes malware analysis more difficult and time-consuming.
An unusal approach
Malware peddlers usually employ spam, malvertising, and watering hole attacks to target users. Search result poisoning is more often employed for tech support and fake AV scams.
In fact, the redirection system and associated infrastructure the researchers mapped in this attack has previously been used to do just that (and used the excuse of a Zeus infection to trick users into contacting the fake tech support).
“The overall configuration and operation of the infrastructure used to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees being used for the distribution of malware. This is another example of how attackers regularly refine and change their techniques and illustrates why ongoing consumption of threat intelligence is essential for ensuring that organizations remain protected against new threats over time,” the researchers concluded.