Malware Loader Abuses Google SEO to Expand Payload Delivery
Gootloader has expanded its payloads beyond the Gootkit malware family, using Google SEO poisoning to gain traction.
The Gootloader malware loader, previously used for distributing the Gootkit malware family, has undergone what researchers call a “renaissance” when it comes to payload delivery. New research released this week paints Gootloader as an increasingly sophisticated loader framework, which has now expanded the number of payloads its delivers beyond Gootkit (and in some cases, the previously-distributed REvil ransomware), to include the Kronos trojan and the Cobalt Strike commodity malware. Gootloader is known for its multi-stage attack process, obfuscation tactics, and for using a known tactic for malware delivery called search engine optimization (SEO) poisoning. This technique leverages SEO-friendly terms in attacker-controlled websites, in order to rank them higher in Google’s search index. In the end, the method brings more eyeballs to the malicious sites, which contain links that launch the Gootloader attack chain. “The malware delivery method pioneered by the threat actors behind the REvil ransomware and the Gootkit banking Trojan has been enjoying a renaissance of late, as telemetry indicates that criminals are using the method to deploy an array of malware payloads in South Korea, Germany, France, and across North America,” said Gabor Szappanos and Andrew Brandt, security researchers with Sophos Labs on Monday.
Gootloader Malware: Compromised, Legitimate WebsitesIn order to perform SEO poisoning, Gootloader attackers have first compromised a wide variety of legitimate websites, which they maintain on a network of roughly 400 servers, said researchers.
An example of an Gootloader attack. Credit: Sophos LabsResearchers said, the operators of these legitimate, hacked websites do not seem to know their websites are being abused in this manner. “It isn’t clear how the threat actors gain access to the backend of these sites, but historically, these kinds of website compromises may be the result of any of a number of methods: The attackers may simply obtain the sites’ passwords from the Gootkit malware itself, or from any of a number of criminal markets that trade in stolen credentials, or by leveraging any of a number of security exploits in the plugins or add-ons of the CMS software,” they said.
Using Google Search Engine Optimization For Malware DeliveryGootloader attacker-compromised websites then tweak the content management systems of the websites to use key SEO tactics and terms. The goal here is to appear at the top of Google’s index when certain questions are typed into Google search. For instance, typing the question “do I need a party wall agreement to sell my house?” turns up a legitimate website for a Canada-based neonatal medical practice, which has actually been compromised by Gootloader attackers. The part of the website that has been compromised by attackers features a “message board” with a “user” asking the question “do I need a party wall agreement to sell my house?” This uses the exact same wording as the search query, as a way to rank higher on Google’s search index – even if it has nothing to do with the actual content of the compromised website.
An example of an Gootloader attack. Credit: Sophos LabsOn that “message board,” an “admin profile” then responds to the question with a link purporting to have more information. “None of the site’s legitimate content has anything to do with real estate transactions – its doctors deliver babies – and yet it is the first result to appear in a query about a very narrowly defined type of real estate agreement,” said researchers. “Google itself indicates the result is not an ad, and they have known about the site for nearly seven years. To the end user, the entire thing looks on the up-and-up.” Threatpost has reached out to Google for more information on how the company is battling such SEO poisoning types of attacks.
Other Malware Google SEO Abuse TacticsThe abuse of SEO to gain more eyeballs and traction to malicious sites is an age-old trick for cybercriminals, with examples of this type of tactic dating back to at least 2011. In 2017, cybercriminals poisoned Google search results in the hope of infecting users with a banking Trojan called Zeus Panda, for instance. These types of attacks continue because they work, said researchers. “Script blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools (or finds them convenient or even intuitive),” they said. “Even attentive users who are aware of the trick involving the fake forum page might not recognize it until it’s too late.”