IntroductionZscaler ThreatLabz researchers recently encountered a significant number of websites associated with fraudulent activities being hosted on popular web hosting and blogging platforms. Threat actors intentionally create these sites to spread malware by using the proliferation of web hosting platforms to manipulate search engine results – something called SEO poisoning, a subset of Black Hat SEO techniques. This catapults their fraudulent site to the top of a user’s search results, increasing the likelihood of inadvertently selecting a malicious site and potentially infecting their system with malware. These sites don’t belong to any specific category, as they encompass a wide range of interests such as pirated software, gaming, traveling, and food recipes. The broad coverage seems aimed at further ensuring their visibility in internet search results.

In this blog, we delve into the tactics employed by threat actors to distribute malicious information stealers, and evade detection using obfuscation and anti-debugging techniques.

Key Takeaways
Threat actors utilize fraudulent websites hosted on popular legitimate platforms to spread malware and steal data. To evade detection, attackers employ obfuscation methods and checks on referral URLs. They redirect users based on whether users access the site directly or through a search engine.
Malicious payloads are delivered through multi-level zipped files, often hidden within seemingly innocuous content. Users may unknowingly execute these payloads during software installations.
Once executed, malicious DLLs and scripts perform activities such as process hollowing, DLL sideloading, and executing PowerShell commands to download additional malware and initiating communication with command-and-control (C2) servers.
The malware gathers extensive data including system information, browser data, credentials, and browsing history. It also monitors emails pertaining to cryptocurrency exchanges and possesses the capability to modify email content, as well as potentially steal one-time authentication codes.

Looks Can Be DeceivingThe screenshot below is an example of a fraudulent website being hosted on Weebly that could appear in Google search results when users perform related searches. Even though the webpage appears legitimate and has a “Powered by Weebly” label, it’s actually dangerous. This combination of seeming authentic and being associated with Weebly, a real and reputable platform, makes it more likely that users will download malware without realizing it.

Figure 1: An example of a scam website hosted on Weebly.

How It WorksThe sequence begins with threat actors creating a fake site on a web hosting service, which remains undetected by the hosting service itself. When a user searches for relevant information and clicks on a link from the search results, they unknowingly access the malicious site.

Interestingly, if the user directly enters the URL instead of clicking on the link, it bypasses this interaction, potentially to avoid analysis by security researchers – a topic further explored in the next section.

Evasion techniquesThreat actors employ checks on these malicious sites designed to evade detection by researchers. Upon loading, they verify the referral URL. If it originates from search engines like Google, Bing, DuckDuckGo, Yahoo, or AOL, the site proceeds to the next page. If the user accesses the website directly, indicating potential analysis, the site avoids redirection.

The following screenshot showcases an obfuscated script which checks and redirects users accordingly.

Figure 2: The obfuscated code responsible for checking and redirecting users to evade detection.

This obfuscation method employs string concatenation and mathematical manipulation to hide the code’s logic. It combines strings or arrays to create expressions and manipulates values through mathematical operations to make the code more difficult to understand.

The screenshot below shows the decoded JavaScript code that’s hidden in the heavily obfuscated code mentioned above.

Figure 3: The decoded JavaScript code hidden in the heavily obfuscated code.

Payload deliveryConsider a scenario where a user searches for a cracked version of software on a search engine. One of these malicious websites may prominently feature in search results, where the user proceeds to select one. Once the above-mentioned script confirms that the user landed on the page through a search engine, it displays a fake MediaFire page hosted on Weebly.com that appears legitimate. However, instead of cracked software, the user may inadvertently download malware, thus initiating the malicious payload delivery.

As an example, the figure below shows a comparison of a fraudulent and legitimate MediaFire page. Both pages are similar; however, examining the URL provides clear indications that one of them is fraudulent because it does not use the MediaFire domain.

Figure 4: A comparison of a fake and legitimate MediaFire page.

The payload file downloaded from the fake MediaFire page has a two-level zipped structure.

Upon extracting the first ZIP archive, the victim will find another ZIP archive inside. This secondary ZIP archive is password-protected and the password is located in an image inside the first ZIP archive. This represents the second technique employed by attackers to evade detection.

The screenshot below depicts the two-level zipped structure.

Figure 5: The files after extracting two ZIP archives.

Upon executing the extracted setup.exe file, the installation process initiates. This setup file will install the genuine GNU Privacy Guard, an OpenPGP cryptographic software suite widely utilized to enhance the security of email communications. During the installation process, we have observed that alongside setting up the genuine GNU Privacy Guard (GPG), a malicious DLL is also dropped into the same directory. This DLL utilizes DLL sideloading techniques to execute malicious activities under the guise of legitimate processes.

The screenshot below shows the malicious DLL within the directory.

Figure 6: A screenshot of the malicious DLL libgcrypt-20.dll loaded using DLL sideloading.

Subsequently, this malicious DLL begins executing its activities. To evade detection, it triggers the execution of explorer.exe and utilizes process hollowing techniques.

Below, we outline the steps involved in the process.

The attacker exploits an undocumented API, CreateProcessInternalA, to initiate a suspended explorer.exe process, then utilizes NtQueryInformationProcess to acquire its base address. After replacing legitimate content with the malicious payload via NtUnmapViewOfSection, VirtualAllocEx allocates memory within the target process. WriteProcessMemory copies the payload, and ResumeThread resumes execution, completing the injection process.

Furthermore, explorer.exe will initiate the execution of the PowerShell executable, passing along a malicious command-line argument, -windowstyle hidden, to the PowerShell console. The screenshot below shows the decoded version of this command-line argument. This command-line instructs PowerShell to download a heavily obfuscated script from a specified URL. Subsequently, it replaces certain special characters with alphabetical characters. The resulting string is decoded using the FromBase64String method. The decoded Base64 string undergoes XOR operations with the values 167 and 18.

The screenshot below shows the malicious command-line argument.

Figure 7: The malicious command-line argument.

The screenshot below depicts a section of the Base64-encoded file retrieved from the URL provided. This special character replacement prior to decoding is specifically designed to evade detection by antivirus software, enhancing the malware’s ability to bypass security measures effectively.

Figure 8: The malicious file Base64-encoded file with special character replacement.

This file exhibits multilayered obfuscation. After undergoing the initial level of deobfuscation, certain parts of the script remain obfuscated. Additionally, there are segments of code included within the script responsible for deobfuscating these encoded portions.

The screenshot below shows the second level of deobfuscation.

Figure 9: The second level of deobfuscation.

The obfuscated script primarily consists of JavaScript files related to a malicious browser extension. Upon execution, PowerShell will drop multiple files into the directory at C:UsersusernameAppDataLocalDefault and create a browser shortcut on the user’s Desktop. The target path for this shortcut will point to the malicious browser extensions located at “C:Program FilesGoogleChromeApplicationchrome.exe” –load-extension=”C:UserstestAppDataLocalDefault”.

The –load-extension is a command-line option used with certain web browsers. It allows users to load extensions into the browser during startup.

The screenshot below shows the files associated with the browser extensions.

Figure 10: Files related to the browser extensions.

The screenshot below shows the manifest.json file associated with this malicious extension. The file includes:

The list of permissions required by the browser extension.
Numerous JavaScript files, all of which are heavily obfuscated.
Attempts to disguise itself as a Google Drive extension.

Figure 11: The manifest.json related to the extension.

Network AnalysisAfter the initial execution through DLL sideloading, a malicious PowerShell script establishes communication with aprel88[.]com/getLicenseInfo.php?requirements=time&checkMethod=2 through a GET request. The malicious hollowed explorer.exe process initiates two transactions to download a malicious DLL from t9z[.]lol/imvLbzv05W and a BIN file from 1blob[.]monster/pidaras/142.bin. Subsequently, the malicious DLL is executed using rundll32.exe.

Further malicious activity is observed which was linked to a PowerShell script. Notably, the domain good2-led[.]com is identified as the source responsible for downloading files associated with a browser extension.

The screenshot below shows the malicious network traffic.

Figure 12: A screenshot of the malicious traffic.

Upon initiating the Chrome browser through its shortcut, a malicious extension is loaded, triggering communication with a malicious C2 server. Before this communication takes place, the extension sends a request to blockchain.info, specifically to the URL blockchain.info/address/address, utilizing the Bitcoin address bc1qnxwt7sr3rqatd6efjyym3nsgxhslyzeqndhjpn.

In response, the extension retrieves a Base58-encoded string, which upon decoding, discloses the location of the C2 server. The address 1A9mJv7MHkSzMqe4TEdfyttEz9ZcZugyLR was returned as a result of this request. Decoding this string reveals the domain dark-confusion[.]com, which corresponds to the aforementioned address.

Information TheftAfter initiating communication with the C2 server, the malicious extension engages in information theft, gathering a wide range of data including:

System information
Browser cookies
Browser fingerprints
Credentials
Machine information
Browser extensions
Extension permissions
Cookies
Browser history

During communication with the C2 server, the malware responds with a list of strings such as:

onedrive
bankofamerica.com
billing
ads.microsoft.com
secure
digicert
coinbase
evernote
crypto
admin

Note: It’s important to monitor traffic associated with these keywords. See the Indicators Of Compromise (IOCs) section at the end of the blog for additional strings associated with stealer activity.

Additionally, it possesses the capability to inject code into web-based email applications through two JavaScript files: gmail.js and main.js. It specifically targets messages related to cryptocurrency trading across various exchanges such as OKX, Binance, Bybit, Gate, Poloniex, Mexc, Bitget, Kucoin, Huobi, and Lbank. Figure 13 and 14, shown below, show a portion of the script responsible for these activities.

The script employs the checkWithdrawalLetter function, highlighted in the screenshot below, to scrutinize emails for withdrawal requests associated with cryptocurrency trading. Upon identifying a match, it proceeds to modify the email content to resemble a sign-in email, thereby altering the appearance for deceptive purposes. Additionally, it includes functionality within the getCode function, highlighted in the figure below, to extract and validate six-digit authentication codes received via email using regular expressions.

Figure 13: JavaScript code that monitors and modifies email content.

The screenshot below shows a list of cryptocurrency exchanges and titles required for email modification.

Figure 14: List of cryptocurrency exchanges and titles required for email modification.

The screenshot below shows the post-infection network traffic.

Figure 15: A screenshot of post-infection traffic.

ConclusionThis campaign underscores the exploitation of user behavior by attackers who leverage Black Hat SEO, specifically SEO poisoning, to spread malware, ultimately aiming to extort victims for financial gain and other benefits. These analyzed campaigns rely on users’ engagement with seemingly “trustworthy” websites to initiate the infection process. Individuals can effectively prevent such harmful infections by refraining from downloading software from suspicious sources. Instead, they should prioritize visiting reputable websites and exclusively download software from trustworthy sources.

Zscaler CoverageAdvanced Threat Protection

JS.Trojan.Agent
HTML.Phish.SEO
W32/Satacom.C.gen!Eldorado
W32/Kryptik.LQU.gen!Eldorado

Advanced Cloud SandboxDuring our investigation of this campaign, the Zscaler Cloud Sandbox played a significant role in analyzing the behavior of multiple files.

Figure 16: Zscaler Cloud Sandbox report

Indicators Of Compromise (IOCs)aprel88[.]com/getLicenseInfo.php?requirements=time&checkMethod=2t9z[.]lol/imvLbzv05Wgood2-led[.]com/dark4.bs641blob[.]monster/pidaras/142.bindark-confusion[.]com26B980E5A79883830EBE9E588867F9A7E0B000BD86ACE23AB5D94FC44480D8B32ECE1BB679CB143D84BBA1F114288101Scam sites
goodclassic.weebly.com
entrancementace.weebly.com
ngbris.weebly.com
evercomplete908.weebly.com
cleversrus897.weebly.com
auctionsyellow900.weebly.com
renewdecor526.weebly.com
newbr594.weebly.com
evertango.weebly.com
finalrenew.weebly.com
promogood.weebly.com
renewinfinite.weebly.com
intelxs.weebly.com
yooever621.weebly.com
talentyellow.weebly.com
automotiveload178.weebly.com
dota2giveaway2017.weebly.com
newdi.weebly.com
bargainslasopa612.weebly.com
multiprogramsy273.weebly.com
nutukotixirijir.weebly.com
marketever326.weebly.com
keenmouse307.weebly.com
ilidatickets.weebly.com
managebrown.weebly.com
giwezodos.weebly.com
forfasr600.weebly.com
purpleshara.weebly.com
lasopasolutions860.weebly.com
yellowcopy.weebly.com
ruclever.weebly.com
lasopabali332.weebly.com
eternalfasr766.weebly.com
locatorlasopa581.weebly.com
trainingenergy.weebly.com
reneweasy.weebly.com
smallbusinesscelestial.weebly.com
fasrsonic952.weebly.com
lasopadigital325.weebly.com
honestlasopa869.weebly.com
newrider.weebly.com
lastitalian658.weebly.com
swagpowerup.weebly.com
entrancementsan.weebly.com
fasrpinoy260.weebly.com
engnice.weebly.com
slotsmaps712.weebly.com
skyeylane.weebly.com
lasopaon950.weebly.com
plclever.weebly.com
heavenlystudy.weebly.com
cafed0wnload.weebly.com
bucketyellow.weebly.com
sunnyfasr390.weebly.com
treecargo349.weebly.com
mlsfasr616.weebly.com
potentmark.weebly.com
tbsoha.weebly.com
borenew.weebly.com
aifasr879.weebly.com
pinuxijevafu.weebly.com
casefasr300.weebly.com
multiprogrammeister.weebly.com
yulasopa966.weebly.com
divafasr820.weebly.com
gootoy.weebly.com
sadapazixome.weebly.com
generousnurse.weebly.com
fasrpars454.weebly.com
siteearth.weebly.com
juheavy.weebly.com
magkeen.weebly.com
yellowacademy158.weebly.com
bazarredled.weebly.com
pamikifatiril.weebly.com
smsenergy.weebly.com
brownfield571.weebly.com
streamfasr559.weebly.com
boxli.weebly.com
huntergood.weebly.com
daeyuni.weebly.com
facealpine.weebly.com
mpxilus853.weebly.com
programrevolution503.weebly.com
supernalpig.weebly.com
collectiveeagle905.weebly.com
fitroom.weebly.com
cleversalsa709.weebly.com
lasopafoot166.weebly.com
ilikefasr787.weebly.com
vinokiwofexuge.weebly.com
depositpizza292.weebly.com
multifileslong832.weebly.com
dopworld.weebly.com
everpico.weebly.com
politicalgreenway.weebly.com
ityellow.weebly.com
generouseu.weebly.com
abcceleb.weebly.com
aspoynerd.weebly.com
neuroheavy.weebly.com
treedisco771.weebly.com
goomoves.weebly.com
generousmetrix.weebly.com
endfasr772.weebly.com
erssupernal855.weebly.com
fasrlegacy770.weebly.com
potlasopa889.weebly.com
energystrategy.weebly.com
metaskyey.weebly.com
keeniso.weebly.com
musicalesta.weebly.com
everpump710.weebly.com
purpleclever657.weebly.com
picturefasr318.weebly.com
informationfasr831.weebly.com
d0wnloadoption.weebly.com
cleverlinked608.weebly.com
universalpowerful.weebly.com
lasopababe663.weebly.com
binarypowerful617.weebly.com
renewvector802.weebly.com
newlineemporium.weebly.com
fasrcore874.weebly.com
dopolijakom.weebly.com
misolopov.weebly.com
texasgroovy657.weebly.com
barname.weebly.com
debtcrack.weebly.com
prioritysoft828.weebly.com
intellifasr780.weebly.com
entrancementsing.weebly.com
engangry.weebly.com
airvoper.weebly.com
baldcircleyouth.weebly.com
buyerstwink.weebly.com
lasoparetail499.weebly.com
savvytree583.weebly.com
bonusny428.weebly.com
lasopacleaning304.weebly.com
logskiey.weebly.com
fasrphotography956.weebly.com
gatewayface.weebly.com
grayenergy306.weebly.com
glammonkey.weebly.com
companionclever103.weebly.com
forlifepotent.weebly.com
washingtonclever.weebly.com
hotellasopa281.weebly.com
yellowforms.weebly.com
lasopajava575.weebly.com
nestilida.weebly.com
saydigital113.weebly.com
sharamoves718.weebly.com
petsfasr837.weebly.com
playlicious.weebly.com
partnersmultiprogram.weebly.com
labelbaldcircle387.weebly.com
casinowoo88.weebly.com
medfastpower.weebly.com
groundlasopa592.weebly.com
entrancementtab.weebly.com
talknitro.weebly.com
heavypersian.weebly.com
heavenlyproduct517.weebly.com

Strings
eigenlayer
trbinance
publisher
checkout
onedrive
azurewebsites
billing
secure
digicert
coinbase
evernote
crypto
admin
dashboard
cashier
bitwarden
opensea
metamask
exchange
wallet
swap
tradeogre
stake
mining
steamcommunity
dana-na
remote
global-protect
cscoe
citrix
LogonPoint
screenconnect
XenApp
vpn
silentDetection
rdweb
microsoftonline
stripe.com
privateemail.com
ads.google
adsense.google.com
admin.booking.com
ads.microsoft.com
business.facebook.com
ads.facebook
adsmanager.facebook
payments.google.com
pay.google.com
virustotal.com
bankofamerica.com  

The sequence begins with threat actors creating a fake site on a web hosting service, which remains undetected by the hosting service itself. When a user searches for relevant information and clicks on a link from the search results, they unknowingly access the malicious site.

Interestingly, if the user directly enters the URL instead of clicking on the link, it bypasses this interaction, potentially to avoid analysis by security researchers – a topic further explored in the next section.

Evasion techniques

Threat actors employ checks on these malicious sites designed to evade detection by researchers. Upon loading, they verify the referral URL. If it originates from search engines like Google, Bing, DuckDuckGo, Yahoo, or AOL, the site proceeds to the next page. If the user accesses the website directly, indicating potential analysis, the site avoids redirection.

The following screenshot showcases an obfuscated script which checks and redirects users accordingly. 

Figure 2: The obfuscated code responsible for checking and redirecting users to evade detection.

This obfuscation method employs string concatenation and mathematical manipulation to hide the code’s logic. It combines strings or arrays to create expressions and manipulates values through mathematical operations to make the code more difficult to understand.

The screenshot below shows the decoded JavaScript code that’s hidden in the heavily obfuscated code mentioned above.

Figure 3: The decoded JavaScript code hidden in the heavily obfuscated code.

Payload delivery

Consider a scenario where a user searches for a cracked version of software on a search engine. One of these malicious websites may prominently feature in search results, where the user proceeds to select one. Once the above-mentioned script confirms that the user landed on the page through a search engine, it displays a fake MediaFire page hosted on Weebly.com that appears legitimate. However, instead of cracked software, the user may inadvertently download malware, thus initiating the malicious payload delivery.

As an example, the figure below shows a comparison of a fraudulent and legitimate MediaFire page. Both pages are similar; however, examining the URL provides clear indications that one of them is fraudulent because it does not use the MediaFire domain.

Figure 4: A comparison of a fake and legitimate MediaFire page.

The payload file downloaded from the fake MediaFire page has a two-level zipped structure. 

Upon extracting the first ZIP archive, the victim will find another ZIP archive inside. This secondary ZIP archive is password-protected and the password is located in an image inside the first ZIP archive. This represents the second technique employed by attackers to evade detection.

The screenshot below depicts the two-level zipped structure.

Figure 5: The files after extracting two ZIP archives.

Upon executing the extracted setup.exe file, the installation process initiates. This setup file will install the genuine GNU Privacy Guard, an OpenPGP cryptographic software suite widely utilized to enhance the security of email communications. During the installation process, we have observed that alongside setting up the genuine GNU Privacy Guard (GPG), a malicious DLL is also dropped into the same directory. This DLL utilizes DLL sideloading techniques to execute malicious activities under the guise of legitimate processes.

The screenshot below shows the malicious DLL within the directory.

Figure 6: A screenshot of the malicious DLL libgcrypt-20.dll loaded using DLL sideloading.

Subsequently, this malicious DLL begins executing its activities. To evade detection, it triggers the execution of explorer.exe and utilizes process hollowing techniques.

Below, we outline the steps involved in the process.

The attacker exploits an undocumented API, CreateProcessInternalA, to initiate a suspended explorer.exe process, then utilizes NtQueryInformationProcess to acquire its base address. After replacing legitimate content with the malicious payload via NtUnmapViewOfSection, VirtualAllocEx allocates memory within the target process. WriteProcessMemory copies the payload, and ResumeThread resumes execution, completing the injection process.

Furthermore, explorer.exe will initiate the execution of the PowerShell executable, passing along a malicious command-line argument, -windowstyle hidden, to the PowerShell console. The screenshot below shows the decoded version of this command-line argument. This command-line instructs PowerShell to download a heavily obfuscated script from a specified URL. Subsequently, it replaces certain special characters with alphabetical characters. The resulting string is decoded using the FromBase64String method. The decoded Base64 string undergoes XOR operations with the values 167 and 18.

The screenshot below shows the malicious command-line argument.

Figure 7: The malicious command-line argument.

The screenshot below depicts a section of the Base64-encoded file retrieved from the URL provided. This special character replacement prior to decoding is specifically designed to evade detection by antivirus software, enhancing the malware’s ability to bypass security measures effectively.

Figure 8: The malicious file Base64-encoded file with special character replacement.

This file exhibits multilayered obfuscation. After undergoing the initial level of deobfuscation, certain parts of the script remain obfuscated. Additionally, there are segments of code included within the script responsible for deobfuscating these encoded portions.

The screenshot below shows the second level of deobfuscation.

Figure 9: The second level of deobfuscation.

The obfuscated script primarily consists of JavaScript files related to a malicious browser extension. Upon execution, PowerShell will drop multiple files into the directory at C:UsersusernameAppDataLocalDefault and create a browser shortcut on the user’s Desktop. The target path for this shortcut will point to the malicious browser extensions located at “C:Program FilesGoogleChromeApplicationchrome.exe” –load-extension=”C:UserstestAppDataLocalDefault”.

The –load-extension is a command-line option used with certain web browsers. It allows users to load extensions into the browser during startup.

The screenshot below shows the files associated with the browser extensions.

Figure 10: Files related to the browser extensions.

The screenshot below shows the manifest.json file associated with this malicious extension. The file includes:

The list of permissions required by the browser extension. Numerous JavaScript files, all of which are heavily obfuscated. Attempts to disguise itself as a Google Drive extension.

Figure 11: The manifest.json related to the extension. 

 [[“value”:”IntroductionZscaler ThreatLabz researchers recently encountered a significant number of websites associated with fraudulent activities being hosted on popular web hosting and blogging platforms. Threat actors intentionally create these sites to spread malware by using the proliferation of web hosting platforms to manipulate search engine results – something called SEO poisoning, a subset of Black Hat SEO techniques. This catapults their fraudulent site to the top of a user’s search results, increasing the likelihood of inadvertently selecting a malicious site and potentially infecting their system with malware. These sites don’t belong to any specific category, as they encompass a wide range of interests such as pirated software, gaming, traveling, and food recipes. The broad coverage seems aimed at further ensuring their visibility in internet search results.

In this blog, we delve into the tactics employed by threat actors to distribute malicious information stealers, and evade detection using obfuscation and anti-debugging techniques.

Key Takeaways
Threat actors utilize fraudulent websites hosted on popular legitimate platforms to spread malware and steal data. To evade detection, attackers employ obfuscation methods and checks on referral URLs. They redirect users based on whether users access the site directly or through a search engine.
Malicious payloads are delivered through multi-level zipped files, often hidden within seemingly innocuous content. Users may unknowingly execute these payloads during software installations.
Once executed, malicious DLLs and scripts perform activities such as process hollowing, DLL sideloading, and executing PowerShell commands to download additional malware and initiating communication with command-and-control (C2) servers.
The malware gathers extensive data including system information, browser data, credentials, and browsing history. It also monitors emails pertaining to cryptocurrency exchanges and possesses the capability to modify email content, as well as potentially steal one-time authentication codes.

Looks Can Be DeceivingThe screenshot below is an example of a fraudulent website being hosted on Weebly that could appear in Google search results when users perform related searches. Even though the webpage appears legitimate and has a “Powered by Weebly” label, it’s actually dangerous. This combination of seeming authentic and being associated with Weebly, a real and reputable platform, makes it more likely that users will download malware without realizing it.

Figure 1: An example of a scam website hosted on Weebly.

How It WorksThe sequence begins with threat actors creating a fake site on a web hosting service, which remains undetected by the hosting service itself. When a user searches for relevant information and clicks on a link from the search results, they unknowingly access the malicious site.

Interestingly, if the user directly enters the URL instead of clicking on the link, it bypasses this interaction, potentially to avoid analysis by security researchers – a topic further explored in the next section.

Evasion techniquesThreat actors employ checks on these malicious sites designed to evade detection by researchers. Upon loading, they verify the referral URL. If it originates from search engines like Google, Bing, DuckDuckGo, Yahoo, or AOL, the site proceeds to the next page. If the user accesses the website directly, indicating potential analysis, the site avoids redirection.

The following screenshot showcases an obfuscated script which checks and redirects users accordingly.

Figure 2: The obfuscated code responsible for checking and redirecting users to evade detection.

This obfuscation method employs string concatenation and mathematical manipulation to hide the code’s logic. It combines strings or arrays to create expressions and manipulates values through mathematical operations to make the code more difficult to understand.

The screenshot below shows the decoded JavaScript code that’s hidden in the heavily obfuscated code mentioned above.

Figure 3: The decoded JavaScript code hidden in the heavily obfuscated code.

Payload deliveryConsider a scenario where a user searches for a cracked version of software on a search engine. One of these malicious websites may prominently feature in search results, where the user proceeds to select one. Once the above-mentioned script confirms that the user landed on the page through a search engine, it displays a fake MediaFire page hosted on Weebly.com that appears legitimate. However, instead of cracked software, the user may inadvertently download malware, thus initiating the malicious payload delivery.

As an example, the figure below shows a comparison of a fraudulent and legitimate MediaFire page. Both pages are similar; however, examining the URL provides clear indications that one of them is fraudulent because it does not use the MediaFire domain.

Figure 4: A comparison of a fake and legitimate MediaFire page.

The payload file downloaded from the fake MediaFire page has a two-level zipped structure.

Upon extracting the first ZIP archive, the victim will find another ZIP archive inside. This secondary ZIP archive is password-protected and the password is located in an image inside the first ZIP archive. This represents the second technique employed by attackers to evade detection.

The screenshot below depicts the two-level zipped structure.

Figure 5: The files after extracting two ZIP archives.

Upon executing the extracted setup.exe file, the installation process initiates. This setup file will install the genuine GNU Privacy Guard, an OpenPGP cryptographic software suite widely utilized to enhance the security of email communications. During the installation process, we have observed that alongside setting up the genuine GNU Privacy Guard (GPG), a malicious DLL is also dropped into the same directory. This DLL utilizes DLL sideloading techniques to execute malicious activities under the guise of legitimate processes.

The screenshot below shows the malicious DLL within the directory.

Figure 6: A screenshot of the malicious DLL libgcrypt-20.dll loaded using DLL sideloading.

Subsequently, this malicious DLL begins executing its activities. To evade detection, it triggers the execution of explorer.exe and utilizes process hollowing techniques.

Below, we outline the steps involved in the process.

The attacker exploits an undocumented API, CreateProcessInternalA, to initiate a suspended explorer.exe process, then utilizes NtQueryInformationProcess to acquire its base address. After replacing legitimate content with the malicious payload via NtUnmapViewOfSection, VirtualAllocEx allocates memory within the target process. WriteProcessMemory copies the payload, and ResumeThread resumes execution, completing the injection process.

Furthermore, explorer.exe will initiate the execution of the PowerShell executable, passing along a malicious command-line argument, -windowstyle hidden, to the PowerShell console. The screenshot below shows the decoded version of this command-line argument. This command-line instructs PowerShell to download a heavily obfuscated script from a specified URL. Subsequently, it replaces certain special characters with alphabetical characters. The resulting string is decoded using the FromBase64String method. The decoded Base64 string undergoes XOR operations with the values 167 and 18.

The screenshot below shows the malicious command-line argument.

Figure 7: The malicious command-line argument.

The screenshot below depicts a section of the Base64-encoded file retrieved from the URL provided. This special character replacement prior to decoding is specifically designed to evade detection by antivirus software, enhancing the malware’s ability to bypass security measures effectively.

Figure 8: The malicious file Base64-encoded file with special character replacement.

This file exhibits multilayered obfuscation. After undergoing the initial level of deobfuscation, certain parts of the script remain obfuscated. Additionally, there are segments of code included within the script responsible for deobfuscating these encoded portions.

The screenshot below shows the second level of deobfuscation.

Figure 9: The second level of deobfuscation.

The obfuscated script primarily consists of JavaScript files related to a malicious browser extension. Upon execution, PowerShell will drop multiple files into the directory at C:UsersusernameAppDataLocalDefault and create a browser shortcut on the user’s Desktop. The target path for this shortcut will point to the malicious browser extensions located at “C:Program FilesGoogleChromeApplicationchrome.exe” –load-extension=”C:UserstestAppDataLocalDefault”.

The –load-extension is a command-line option used with certain web browsers. It allows users to load extensions into the browser during startup.

The screenshot below shows the files associated with the browser extensions.

Figure 10: Files related to the browser extensions.

The screenshot below shows the manifest.json file associated with this malicious extension. The file includes:

The list of permissions required by the browser extension.
Numerous JavaScript files, all of which are heavily obfuscated.
Attempts to disguise itself as a Google Drive extension.

Figure 11: The manifest.json related to the extension.

Network AnalysisAfter the initial execution through DLL sideloading, a malicious PowerShell script establishes communication with aprel88[.]com/getLicenseInfo.php?requirements=time&checkMethod=2 through a GET request. The malicious hollowed explorer.exe process initiates two transactions to download a malicious DLL from t9z[.]lol/imvLbzv05W and a BIN file from 1blob[.]monster/pidaras/142.bin. Subsequently, the malicious DLL is executed using rundll32.exe.

Further malicious activity is observed which was linked to a PowerShell script. Notably, the domain good2-led[.]com is identified as the source responsible for downloading files associated with a browser extension.

The screenshot below shows the malicious network traffic.

Figure 12: A screenshot of the malicious traffic.

Upon initiating the Chrome browser through its shortcut, a malicious extension is loaded, triggering communication with a malicious C2 server. Before this communication takes place, the extension sends a request to blockchain.info, specifically to the URL blockchain.info/address/address, utilizing the Bitcoin address bc1qnxwt7sr3rqatd6efjyym3nsgxhslyzeqndhjpn.

In response, the extension retrieves a Base58-encoded string, which upon decoding, discloses the location of the C2 server. The address 1A9mJv7MHkSzMqe4TEdfyttEz9ZcZugyLR was returned as a result of this request. Decoding this string reveals the domain dark-confusion[.]com, which corresponds to the aforementioned address.

Information TheftAfter initiating communication with the C2 server, the malicious extension engages in information theft, gathering a wide range of data including:

System information
Browser cookies
Browser fingerprints
Credentials
Machine information
Browser extensions
Extension permissions
Cookies
Browser history

During communication with the C2 server, the malware responds with a list of strings such as:

onedrive
bankofamerica.com
billing
ads.microsoft.com
secure
digicert
coinbase
evernote
crypto
admin

Note: It’s important to monitor traffic associated with these keywords. See the Indicators Of Compromise (IOCs) section at the end of the blog for additional strings associated with stealer activity.

Additionally, it possesses the capability to inject code into web-based email applications through two JavaScript files: gmail.js and main.js. It specifically targets messages related to cryptocurrency trading across various exchanges such as OKX, Binance, Bybit, Gate, Poloniex, Mexc, Bitget, Kucoin, Huobi, and Lbank. Figure 13 and 14, shown below, show a portion of the script responsible for these activities.

The script employs the checkWithdrawalLetter function, highlighted in the screenshot below, to scrutinize emails for withdrawal requests associated with cryptocurrency trading. Upon identifying a match, it proceeds to modify the email content to resemble a sign-in email, thereby altering the appearance for deceptive purposes. Additionally, it includes functionality within the getCode function, highlighted in the figure below, to extract and validate six-digit authentication codes received via email using regular expressions.

Figure 13: JavaScript code that monitors and modifies email content.

The screenshot below shows a list of cryptocurrency exchanges and titles required for email modification.

Figure 14: List of cryptocurrency exchanges and titles required for email modification.

The screenshot below shows the post-infection network traffic.

Figure 15: A screenshot of post-infection traffic.

ConclusionThis campaign underscores the exploitation of user behavior by attackers who leverage Black Hat SEO, specifically SEO poisoning, to spread malware, ultimately aiming to extort victims for financial gain and other benefits. These analyzed campaigns rely on users’ engagement with seemingly “trustworthy” websites to initiate the infection process. Individuals can effectively prevent such harmful infections by refraining from downloading software from suspicious sources. Instead, they should prioritize visiting reputable websites and exclusively download software from trustworthy sources.

Zscaler CoverageAdvanced Threat Protection

JS.Trojan.Agent
HTML.Phish.SEO
W32/Satacom.C.gen!Eldorado
W32/Kryptik.LQU.gen!Eldorado

Advanced Cloud SandboxDuring our investigation of this campaign, the Zscaler Cloud Sandbox played a significant role in analyzing the behavior of multiple files.

Figure 16: Zscaler Cloud Sandbox report

Indicators Of Compromise (IOCs)aprel88[.]com/getLicenseInfo.php?requirements=time&checkMethod=2t9z[.]lol/imvLbzv05Wgood2-led[.]com/dark4.bs641blob[.]monster/pidaras/142.bindark-confusion[.]com26B980E5A79883830EBE9E588867F9A7E0B000BD86ACE23AB5D94FC44480D8B32ECE1BB679CB143D84BBA1F114288101Scam sites
goodclassic.weebly.com
entrancementace.weebly.com
ngbris.weebly.com
evercomplete908.weebly.com
cleversrus897.weebly.com
auctionsyellow900.weebly.com
renewdecor526.weebly.com
newbr594.weebly.com
evertango.weebly.com
finalrenew.weebly.com
promogood.weebly.com
renewinfinite.weebly.com
intelxs.weebly.com
yooever621.weebly.com
talentyellow.weebly.com
automotiveload178.weebly.com
dota2giveaway2017.weebly.com
newdi.weebly.com
bargainslasopa612.weebly.com
multiprogramsy273.weebly.com
nutukotixirijir.weebly.com
marketever326.weebly.com
keenmouse307.weebly.com
ilidatickets.weebly.com
managebrown.weebly.com
giwezodos.weebly.com
forfasr600.weebly.com
purpleshara.weebly.com
lasopasolutions860.weebly.com
yellowcopy.weebly.com
ruclever.weebly.com
lasopabali332.weebly.com
eternalfasr766.weebly.com
locatorlasopa581.weebly.com
trainingenergy.weebly.com
reneweasy.weebly.com
smallbusinesscelestial.weebly.com
fasrsonic952.weebly.com
lasopadigital325.weebly.com
honestlasopa869.weebly.com
newrider.weebly.com
lastitalian658.weebly.com
swagpowerup.weebly.com
entrancementsan.weebly.com
fasrpinoy260.weebly.com
engnice.weebly.com
slotsmaps712.weebly.com
skyeylane.weebly.com
lasopaon950.weebly.com
plclever.weebly.com
heavenlystudy.weebly.com
cafed0wnload.weebly.com
bucketyellow.weebly.com
sunnyfasr390.weebly.com
treecargo349.weebly.com
mlsfasr616.weebly.com
potentmark.weebly.com
tbsoha.weebly.com
borenew.weebly.com
aifasr879.weebly.com
pinuxijevafu.weebly.com
casefasr300.weebly.com
multiprogrammeister.weebly.com
yulasopa966.weebly.com
divafasr820.weebly.com
gootoy.weebly.com
sadapazixome.weebly.com
generousnurse.weebly.com
fasrpars454.weebly.com
siteearth.weebly.com
juheavy.weebly.com
magkeen.weebly.com
yellowacademy158.weebly.com
bazarredled.weebly.com
pamikifatiril.weebly.com
smsenergy.weebly.com
brownfield571.weebly.com
streamfasr559.weebly.com
boxli.weebly.com
huntergood.weebly.com
daeyuni.weebly.com
facealpine.weebly.com
mpxilus853.weebly.com
programrevolution503.weebly.com
supernalpig.weebly.com
collectiveeagle905.weebly.com
fitroom.weebly.com
cleversalsa709.weebly.com
lasopafoot166.weebly.com
ilikefasr787.weebly.com
vinokiwofexuge.weebly.com
depositpizza292.weebly.com
multifileslong832.weebly.com
dopworld.weebly.com
everpico.weebly.com
politicalgreenway.weebly.com
ityellow.weebly.com
generouseu.weebly.com
abcceleb.weebly.com
aspoynerd.weebly.com
neuroheavy.weebly.com
treedisco771.weebly.com
goomoves.weebly.com
generousmetrix.weebly.com
endfasr772.weebly.com
erssupernal855.weebly.com
fasrlegacy770.weebly.com
potlasopa889.weebly.com
energystrategy.weebly.com
metaskyey.weebly.com
keeniso.weebly.com
musicalesta.weebly.com
everpump710.weebly.com
purpleclever657.weebly.com
picturefasr318.weebly.com
informationfasr831.weebly.com
d0wnloadoption.weebly.com
cleverlinked608.weebly.com
universalpowerful.weebly.com
lasopababe663.weebly.com
binarypowerful617.weebly.com
renewvector802.weebly.com
newlineemporium.weebly.com
fasrcore874.weebly.com
dopolijakom.weebly.com
misolopov.weebly.com
texasgroovy657.weebly.com
barname.weebly.com
debtcrack.weebly.com
prioritysoft828.weebly.com
intellifasr780.weebly.com
entrancementsing.weebly.com
engangry.weebly.com
airvoper.weebly.com
baldcircleyouth.weebly.com
buyerstwink.weebly.com
lasoparetail499.weebly.com
savvytree583.weebly.com
bonusny428.weebly.com
lasopacleaning304.weebly.com
logskiey.weebly.com
fasrphotography956.weebly.com
gatewayface.weebly.com
grayenergy306.weebly.com
glammonkey.weebly.com
companionclever103.weebly.com
forlifepotent.weebly.com
washingtonclever.weebly.com
hotellasopa281.weebly.com
yellowforms.weebly.com
lasopajava575.weebly.com
nestilida.weebly.com
saydigital113.weebly.com
sharamoves718.weebly.com
petsfasr837.weebly.com
playlicious.weebly.com
partnersmultiprogram.weebly.com
labelbaldcircle387.weebly.com
casinowoo88.weebly.com
medfastpower.weebly.com
groundlasopa592.weebly.com
entrancementtab.weebly.com
talknitro.weebly.com
heavypersian.weebly.com
heavenlyproduct517.weebly.com

Strings
eigenlayer
trbinance
publisher
checkout
onedrive
azurewebsites
billing
secure
digicert
coinbase
evernote
crypto
admin
dashboard
cashier
bitwarden
opensea
metamask
exchange
wallet
swap
tradeogre
stake
mining
steamcommunity
dana-na
remote
global-protect
cscoe
citrix
LogonPoint
screenconnect
XenApp
vpn
silentDetection
rdweb
microsoftonline
stripe.com
privateemail.com
ads.google
adsense.google.com
admin.booking.com
ads.microsoft.com
business.facebook.com
ads.facebook
adsmanager.facebook
payments.google.com
pay.google.com
virustotal.com
bankofamerica.com”]]