Cybercriminals are using novel approaches to poison Google search results in the hope of infecting users with a banking Trojan called Zeus Panda, researchers at Cisco said.

Attackers behind the Google poisoning attempts are targeting primarily keyword searches related to finance in order to drive victims to booby-trapped websites where malicious Word documents are used to download the banking malware.

“The overall configuration and operation of the infrastructure used to distribute this malware was interesting as it did not rely on distribution methods that Talos regularly sees being used for the distribution of malware,” wrote co-authors Edmund Brumaghin, Earl Carter and Emmanuel Tacheau of a report published Thursday.

What’s novel about the attacker’s approach is they are compromising web servers hosting websites with great SEO and show up at the top of search results. Targeted sites, according to Cisco, contain desirable financial-related keyword and therefore show up when potential victims’ search for related financial topics. In other cases, adversaries inserted desirable keywords inside existing pages increasingly the likelihood the poisoned page would rank high in Google search results.

For example a search for “al rajhi bank working hours in ramadan” delivered a compromised business website that had received high ratings and reviews. Keyword groups specifically targeted financial institutions in India as well as the Middle East, according to Cisco.

“SEO poisoning has been around for a long time and has manifested itself in various ways like phishing. However, it is uncommon to see it used as part a of a large malware distribution network,” said Brumaghin in an interview with Threatpost.

To that end, poisoned sites initiate a multistage malware infection process when a victim visits. In some cases, compromised sites direct victims to fake AV and tech support pages that make false claims the visitors were infected with the Zeus Trojan.

“When the malicious web pages are accessed by victims, the compromised sites use JavaScript to redirect clients to JavaScript hosted on an intermediary site,” Cisco said. “This results in the client retrieving and executing JavaScript located at the address specified by the document.write() method. The subsequent page includes similar functionality, this time resulting in an HTTP GET request.”

The GET request returns a HTTP 302 redirect code that delivers another website hosting a malicious Word document. “As a result, the client will follow this redirection and download the malicious document. This is a technique commonly referred to as ‘302 cushioning’ and is commonly employed by exploit kits,” according to Cisco.

Next, the user is prompted to either open or save the malicious document. If the Word document is opened the user is asked to both “Enable Editing” and click “Enable Content”. If the content is “enabled” the malware payload is delivered.

Brumaghin said the Zeus Panda variant is unique because it has been updated with a new packing mechanism that features several evasion and obfuscation techniques making it much more difficult for the researchers to analyze.

The malware also uses other techniques to make analysis more difficult, such as the “initial stage of the malicious payload features hundreds of valid API calls that are invoked with invalid parameters,” researchers said. “(The) bogus calls are designed to lure an analyst and increase the time and effort required to analyze the malware.”

Brumaghin said as awareness of email-based phishing and malware distribution increases, users are more likely to be skeptical of files. “As a result, attackers are turning to presenting these files using new avenues such as results for searches conducted by the potential victims as users are more likely to trust the results presented by search engines,” he said.