Recherche : [SEO-poisoning]

Fake Zenmap. WinMRT sites target IT staff with Bumblebee malware https://www.bleepingcomputer.com/news/security/bumblebee-malware-distributed-via-zenmap-winmrt-seo-poisoning/

26/05/2025 11:47:07

The Bumblebee malware SEO poisoning campaign uncovered earlier this week aimpersonating RVTools is using more typosquatting domainsi mimicking other popular open-source projects to infect devices used by IT staff.

BleepingComputer was able to find two cases leveraging the notoriety of Zenmap, the GUI for the Nmap network scanning tool, and the WinMTR tracerout utility.

Both of these tools are commonly used by IT staff to diagnose or analyze network traffic, requiring administrative privileges for some of the features to work This makes users of these tools prime targets for threat actors looking to breach corporate networks and spread laterally to other devices.

The Bumblebee malware loader has been pushed through at least two domains - zenmap[.]pro and winmtr[.]org. While the latter is currently offline, the former is still online and shows a fake blog page about Zenmap when visited directly.

When users are redirected to zenmap[.]pro from from search results, though, it shows a clone of the legitimate website for the nmap (Network Mapper) utility:

The two sites received traffic through SEO poisoning and rank high in Google and Bing search results for the associated terms.

Bleepingcolputer's tests show that if you visit the fake Zenmap site directly, it shows several AI-generated articles instead, as seen in the image below:

The payloads delivered through the download section ‘zenmap-7.97.msi’ and ‘WinMTR.msi, and they both evade detection from most antivirus engines on VirusTotal [1, 2].

The installers deliver the promised application along with a malicious DLL, as in the case of RVTools, which drops a Bumblebee loader on users' devices.

From there, the backdoor can be used to profile the victim and introduce additional payloads, which may include infostealers, ransomware, and other types of malware.

Apart from the open-source tools mentioned above, BleepingComputer has also seen the same campaign targeting users looking for Hanwha security camera management software WisenetViewer.

Cyjax’s researcher Joe Wrieden also spotted a trojanized version of the video management software Milestone XProtect being part of the same campaign, the malicious installers being delivered ‘milestonesys[.]org’ (online).

360XSS: Mass Website Exploitation via Virtual Tour Framework for SEO Poisoning https://olegzay.com/360xss/

03/03/2025 11:09:56

360XSS - Hackers are exploiting a reflected XSS vulnerability in the "Krpano" VR library across hundreds of websites for SEO poisoning.

LummaC2 Malware Abusing the Game Platform 'Steam' - ASEC BLOG https://asec.ahnlab.com/en/68309/

29/07/2024 09:29:05

LummaC2 is an Infostealer that is being actively distributed, disguised as illegal programs (e.g. cracks, keygens, and game hacking programs) available from distribution websites, YouTube, and LinkedIn using the SEO poisoning technique. Recently, it has also been distributed via search engine ads, posing as web pages of Notion, Slack, Capcut, etc.

Reference: Distribution of MSIX Malware Disguised as Notion Installer

Liens par page

Filtres