Gootloader exploits websites via SEO to spread ransomware, trojans

Researchers have warned that Gootloader campaigns generally target users in the US, Germany, France, and South Korea.

The cybercriminal community has become quite sophisticated in its attack tactics to trick Google into displaying malicious search results and exposing millions of its users around the world at risk of malware infection.

In the latest, Gootloader is back with additional capabilities and exploits websites via Search Engine Optimisation (SEO) to spread nasty banking trojan like Kronos.

Gootloader expanding payload delivery mechanism

Gootloader is a malware loader that previously distributed the Gootkit malware. However, the latest research from Sophos cybersecurity firm reveals that the Gootloader has evolved into a sophisticated loader framework and has expanded its payload delivery beyond the Gootkit family of malware.

Researchers believe that the loader has undergone a renaissance as far as payload delivery is concerned as it now included Kronos trojan and Cobalt Strike malware, and possibly REvil ransomware.

Sophos claims that the Gootloader campaigns generally target users in the US, Germany, France, and South Korea.

What is Gootloader?

It is a Javascript-based malware tool or a framework that previously delivered the Gootkit malware family, particularly the Gootkit remote access trojan. This malware family was discovered around 5 years back and has now evolved into sophisticated trojans aiming to steal banking credentials.

Its delivery method has significantly improved as it has gone into the NodeJS-based malware.

How it uses Google SEO Poisoning

Gootloader can now gain traction using Google SEO poisoning and launches a multi-stage attack process. Researchers state that the malware loader uses SEO poisoning for malware delivery.

SEO poisoning is an old tactic in which the loader leverages SEO-friendly keywords/terms in websites controlled by the attacker. This allows the websites to rank higher in Google’s search index, and unsuspecting users are drawn towards these compromised websites. The sites usually contain links that immediately launch the Gootloader attack chain.

One of the hacked websites used in delivered Gootloader malware (Image: Sophos)

Gootloader malware using hacked websites

To perform SEO poisoning, Gootloader attackers have compromised a wide range of legit websites, which they maintain on a network of 400 servers.

It is unclear how attackers gain access to the websites’ backend, but traditionally, this kind of compromise stems from many different methods.

“The attackers may simply obtain the sites’ passwords from the Gootkit malware itself, or from any of a number of criminal markets that trade in stolen credentials, or by leveraging any of a number of security exploits in the plugins or add-ons of the CMS software,” researchers stated in a blog post.

Fileless Malware Delivery

Apart from using SEO poisoning, another tactic that sets the Gootloader apart is that it performs fileless malware delivery. In fileless malware delivery, legitimate and trusted processes such as PowerShell are used to evade anti-virus products and ensure uninterrupted malware delivery.

Hacked website with fake posts, fake profiles posting links carrying Gootloader malware. (Image: Sophos)

Final takeaway

There are several search engines out there however if you prefer using Google, do not trust every result without taking security precautions. Make sure you have an updated anti-malware software installed on your system and make it a habit to scan files or links before opening them.

Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter

Translate »