While defending our customers against threats, Mandiant Managed Defense continues to see new threats that abuse trust in legitimate tools and products to carry out their attacks. These attacks are effective in getting past security defenses and staying undetected in a network.
Through proactive threat hunting, our Managed Defense frontline team uncovered a campaign that used search engine optimization (SEO) poisoning to lead victims to download the BATLOADER malware for the initial compromise. We also observed a crafty defense evasion technique using mshta.exe, a Windows-native utility designed to execute Microsoft HTML Application (HTA) files.
SEO poisoning is an attack method in which threat actors create malicious websites packed with keywords and use search engine optimization techniques to make them show up prominently in search results.