The campaign is active in North America, South Korea, Germany and France, Sophos researchers say.
To trick victims into visiting infected websites, “Gootloader uses malicious search engine optimization techniques to squirm into Google search results,” Sophos notes. “These techniques are effective at evading detection over a network – right up to the point where the malicious activity trips over behavioral detection rules.”
When someone enters certain keywords into a Google search, they are shown the link to the malicious website. Once they visit the website, they are then prompted to download a zip file that installs Gootloader, which then loads REvil ransomware and the Gootkit and Kronos Trojans, the report notes.
Sophos researchers say the Gootloader campaign uses a network of 400 compromised websites, including the site of a neonatal medical practice in Canada.
“None of the site’s legitimate content has anything to do with real estate transactions – it’s doctors deliver babies – and yet it is the first result to appear in a query about a very narrowly defined type of real estate agreement,” the report notes. “Google itself indicates the result is not an ad, and they have known about the site for nearly seven years. To the end user, the entire thing looks on the up-and-up.”
“This ‘first stage’ script is the only component of the attack written to the filesystem,” Sophos notes. “Because it’s the only one exposed to conventional AV scanning methods, the author has obfuscated the script and added two layers of encryption to strings and data blobs related to the next stage of the attack.”
Gootloader then downloads dotNET injector, which then loads the final payloads, such as REvil and Gootkit malware.
Sophos says this new loader belongs to the Gootkit malware family, which has been active since 2011. Gootkit is a banking Trojan that is largely written in node.JS. The malware can record video to steal financial information from victims and load the REvil ransomware strain.
In December 2020, security firm Malwarebytes uncovered a Gootkit campaign that used compromised websites to deliver payloads. Once the payloads were downloaded, the victims’ devices were infected with Gootkit (see: Hackers Using Compromised Websites to Deliver Gootkit, REvil).
Another report by Malwarebytes found Gootkit was using fake forum templates on hacked websites to infect victims.
Asokan is senior correspondent for Information Security Media Group’s global news desk. She has previously worked with IDG and other publications where she reported on developments in technology, minority-rights and education.