Wikileaks Black Hat Campaigns
SonicWALL UTM Research team discovered instances of polluted results appearing in search engine results for Wikileaks related search terms. Malware authors often use SEO poisoning campaigns to lure unsuspecting users in to clicking on malicious links strategically placed in search engine results. This technique has been traditionally used by Malware authors in Black Hat SEO campaigns around all major events. However this is the first time we have observed Wikileaks related terms being used in Black Hat SEO campaigns. The search term "Julian Assange Wikileaks" leads users to the polluted search result shown below:
If the user clicks on the malicious link in the search results then it performs the following on the victim's machine:
- The initial link redirects users to a FakeAV landing page.
- If the user downloads and runs the FakeAV executable then it performs the following on the victim's machine:
- Drops the following files:
- %temp%/systempack8_195.exe (Copy of Itself) [Detected as GAV: Kryptik.IXE (Trojan)]
- %USERPROFILE%/Application Data/7b4dd2/IA7b4_195.exe [Detected as GAV: Suspicious#fakeav_2 (Trojan)]
- Creates the following registry entry to ensure that the dropped malware runs on every system reboot:
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce: "%temp%/systempack8_195.exe"
Cyber criminals may be using the popularity garnered by wikileaks to their advantage as also observed from the mirror listing site "wikileaks.info" which is hosted in an address space known to be under the control of cyber criminals. Although the hosted site has not been found serving any malicious content so far we advise users to exercise caution visiting this domain.
SonicWALL Gateway AntiVirus provided protection against this threat via following signatures:
GAV: Kryptik.IXE (Trojan)
GAV: GAV: Suspicious#fakeav_2 (Trojan)