February 15, 2024

Tracking malware delivered by SEO Poisoning targeting multiple sectors in UK & EU (Precursor Security SOC)

The Precursor SOC responded to a major cyber incident where the root cause was targeted SEO poisoning. Further investigations uncovered a sophisticated campaign targeting key business sectors in the UK & EU.

Download the Microsoft 365 Security Guide  - FREE

Complete the form to download your FREE Microsoft 365 Security Guide today, including:

  • A checklist to ensure your organisation is protected.
  • Top tips you can distribute to employees to keep your data safe.
  • Recommended secure configuration settings for your environment.

Sign up on the form and receive the guide instantly.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get Your 'Vulnerability Management Template' FREE!‍

Your Vulnerability Management Template Includes:

  • Full Vulnerability Identification Process Documents
  • Easy to Follow Process Diagrams
  • System and Data Criticality Definitions
  • Vulnerability Triage Process
  • Remediation Allocation Process
  • Root Cause Analysis Process

Secure your organisation today by completing the form for your Vulnerability Management Template.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Download the, 'How to secure Microsoft Office Desktop Deployments Technical Guide' - FREE

  • 15 Technical Controls to help secure your users and keep your business safe.
  • 100’s of reference group policy objects to implement the controls
  • Reference material to learn more about each control

Complete the form to download your free technical guide and secure your organisation today.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

The Tip-Off

Precursor were recently engaged by an organisation in need of assistance, following a tip-off from the National Cyber Security Centre(NCSC) that a device in their network is known to be infected with malware. The invaluable notification allowed the organisation to react in time to prevent a ransomware breakout. The malware was delivered via a novel technique known as SEO Poisoning.

The Malware - Gootloader

Precursor Security’s Incident Response services were engaged to investigate further, providing expert digital forensics & incident response. The team uncovered a malicious .zip file in the users downloads directory, containing a malicious JavaScript (.js) file. The script was retrieved for further analysis whilst the delivery mechanism of the malware was then investigated. This malware is known as ‘Gootloader’.

Delivery of Malware via SEO Poisoning

What is SEO Poisoning?

SEO Poisoning is the technique employed by malicious actors whereby they aim to display hijacked websites at the top of search engine results to lure/trick users into downloading malware from them. There are two known methods:

  • Malvertising – Having websites show in the ‘ads’ section of search engines, which guarantees them to show at the top.
  • Search term poisoning– Using genuine SEO techniques to have websites show in the top results for targeted search terms.

Malicious actors tend to hijack vulnerable websites with good SEO ratings and create fictitious pages to host their malware download links. This technique of acquiring infrastructure also provides other offensive benefits such as being able to bypass web and email gateway filters due to characteristics such as:

  • Domains being ‘aged’
  • Websites having a historically good standing order

Confirming the Delivery

Our DFIR team acquired digital evidence from the device to investigate further. The team uncovered the SEO poisoning during analysis of the browser history artefacts which lead the to a malicious website to download a .zip file matching the details of the recently found .zip file on disk.

Uncovering a Sophisticated & Targeted Campaign

Upon the discovery of the malicious website, the team performed in-depth analysis in a private sandbox environment uncovering the following criteria which is applied when visiting the website:

There is code that checks if:

  • The client has been redirected from a search engine
  • The client device is Windows and not a tablet/mobile
  • The client geolocation is an English-speaking country
  • The client device has never visited this website before

Providing this criterion was a ‘pass’, you would be displayed a malicious version of the page, otherwise, a fictitious version. The malicious version tends to be the same apart from the words/narrative of the text linking to the search term that the user searched for.

See below, the search term leading to the malicious version, then the fictitious version which is generated because the sub-criteria no longer matches “The client device has never visited this website before”.

As you can see below, this is a screenshot of the malicious version which leads to a convenient ‘direct download link’ for the term the user searched for

A screenshot of the malicious version which leads to a convenient ‘direct download link’ for the term the user searched for.
A screenshot showing the convenient direct download link relevant to the term the user was searching for.

However, if the criteria didn’t match, the user is then shown a basic ‘blog’ looking page with no download links:

A screenshot showing a basic 'blog-looking' page which would be displayed to devices which didn't meet the criteria.

Over 15 targeted search terms were found by inspecting the ‘Googleon’ section of the HTML behind the website:

A screenshot showing the other various search terms the page was targeting , found by inspecting the 'Googleon' section of the website.
A screenshot showing the other various search terms the page was targeting , found by inspecting the 'Googleon' section of the website.

The team analysed the malicious javascript file found inside the .zip, uncovering a further 2 ‘Command & Control’ servers and more targeted search terms in their respective HTML code. It was also confirmed that all 3 websites were hijacked and vulnerable Wordpress websites, the genuine owners and hosting providers were notified.

A general victimology of these search terms is understood to be commercial, legal, real estate and financial sectors. There were references to European, UK and US terms in these search terms.


Precursor Security’s Incident Response service swiftly uncovered a sophisticated malware delivery campaign that could’ve led to ransomware, data loss and extortion if not handled promptly. Organisations should remain diligent and aware of the evolving threat of how ransomware can manifest to ensure security controls are effective.

Indicators of Compromise

Zip file MD5: 0CE5B9D617071A7CE14ACBBDCD3A77BD

JS File MD5: d7288e1331de97816dbbf904240ef140

Second Dropped File MD5: 7e90c927b80523c27e857ff262a171e0

Targeted Search Terms

Sample Commercial Rent Agreement

Money Agreement Document

[redacted] Data Processing Agreement

Rent Free Lease Agreement

Trade Agreements Greece

How Should the Pronoun Agreement in This Sentence Be Changed If at All

Confirmation of Verbal Agreement Sample

Reciprocal Agreement Definition in Business

Alumni Agreement

What Articles Should Be Included in a Partnership Agreement

Royalty Purchase Agreement

Hedging Currency Risk with Forward Contracts

Exclusive Agency Agreement Sample

[redacted] Licensing Agreement

[redacted] Bird Agreement

Agreement Negotiation Skills

Apartment Owners Association Lease Agreement

Good Friday Agreement Images

Marketing Contractor Hourly Rate

Letter to Terminate Contract with Letting Agent

Additional Server 2:

Mortgage Agreement in PrincipleOnline [redacted]

Login to [redacted] InstallmentAgreement

Subject Verb Agreement Class 6Pdf

Persuasive Agreement Meaning

Data Processing Agreement Po

Leave and License AgreementDownload Word Format

Eu-Vietnam Free Trade AgreementDelayed to 2020

Agreement [redacted]

Earlier Agreement

Employment Contract Side LetterTemplate

Co-Investment Agreement

Residential Schools Settlement Agreement

What Do You Mean by General Agreement

Fence Encroachment Agreement

Who Can Sign a Business Associate Agreement

Joint Venture Agreement Nsw

Can a 16 Year Old Get a Contract Phone

Settlement or Agreement

Canceling a Lease Agreement

Sweet Agreement

Written by

Precursor Security

Welcome to the world of cybersecurity and penetration expertise with Precursor Security. As the driving force behind our commitment to fortifying the digital landscape, we stand as a collective embodiment of experience, innovation, and a shared dedication to online safety.