Hackers update Gootkit RAT to use Google searches and discussion forums to deliver malware
Security analysts and an SEO expert explain how this new approach uses legitimate websites to trick users into downloading infected files.
It was only a matter of time before cybercriminals turned their attention to one of the most common activities on the internet— a Google search. The latest trick is using long-tail search terms and legitimate websites to deliver the Gootkit remote access trojan.
This latest iteration of the Gootkit RAT uses “malicious search engine optimization techniques to squirm into Google search results,” as Sophos analysts describe it in a blog post. The cybersecurity firm reports that criminals are using this new variation they call Gootloader to deliver malware payloads in North America, South Korea, Germany and France. The Sophos research found that bad actors are not targeting other search engines as frequently or as successfully.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Chris Rodgers, CEO and founder of Colorado SEO Pros, said that this new tactic uses Google as a gateway and SEO knowledge, particularly about long-tail searches.
“They had to go in and find topics that are low competition and low search volume and they have to be doing this at massive volume for it to be lucrative,” he said.
Hackers seem to be getting control through content management systems like WordPress and via plugins.
“That is a definite doorway and from there being able to create these fake forms,” he said. “It’s pretty creative as shady hacking stuff goes.”
Gaurav Banga, founder and CEO of cybersecurity company Balbix, said that with the recent Gootloader malware, bad actors are “SEO poisoning” by compromising legitimate and highly -\trafficked websites by accessing the site back-end, editing content to improve SEO, and adding discreetly named ZIP files containing the malware that website visitors then download.
“The easiest way to deploy SEO malware is through an admin user’s compromised system,” he said.
Bad actors using this technique are checking the referring URL to make sure it is from Google, not a business owner or employees.
“If you were able to pull query data, you coud target people who are searching the name of the brand,” he said.
Rodgers said the hackers are using pages generated by JavaScript and optimizing various elements of the page such as the title tag. He also said the bad actors could be using artificial intelligence to write the content for these pages.
“They are picking sites that have a lot of authority and optimizing even down to the file name,” he said.
Rodgers said these pages are getting a free pass from Google and that website owners are going to have to boost WordPress security and have a response plan ready in case the website goes down.
“Make sure that your WordPress site is updated, make sure you’ve got some kind of firewall, and do a plug in audit,” he said. Sucuri—if it goes down—know who you’re going to call and have a plan.
He also said that artificial intelligence has had a massive impact on SEO and that Google’s new AI-powered tools have removed most opportunities to influence search results.
Banga at Balbix said that preventing these attacks requires infosec teams to have real-time visibility into the cybersecurity hygiene of internet-facing websites, remote workers’ systems and internet-facing servers. This visibility ensures protection, detection and containment.
“I believe that the only way to tackle these increasingly sophisticated attacks is through cybersecurity self-awareness by leveraging automation to predict business risks, creating actionable prescriptions for critical issues, and driving continual improvement around cybersecurity posture,” he said.
To strengthen employee defenses against malware, IT teams should make sure browsers are patched and that external applications such as PowerShell do not have unrestricted policies.
Sophos analysis of Gootloader
Cybersecurity analysts Gabor Szappanos and Andrew Brandt at Sophos published a detailed review of how Gootloader works. As the analysts note, the Gootkit malware family has been active for several years. The new developments are in its delivery method, which merited the new name to describe these changes.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
This new delivery method relies as much on technology as human psychology, the analysts said in the blog post. The bad actors hack legitimate websites and add pages with unrelated content. The Sophos analysis used the example of a website for a medical practice that was hacked to host pages about real estate contracts. The malicious pages take the form of discussion threads that feature a very specific question. In the Sophos example the question is, “Do I need a party wall agreement to sell my house,” which reads like a search query.
A reply to the query includes a direct download link to a zip archive file with a filename that matches the search query. As the Sophos analysts explain:
“This .js file is the initial infector, and the only stage of the infection at which a malicious file is written to the filesystem. Everything that happens after the target double-clicks this script runs entirely in memory, out of the reach of traditional endpoint protection tools.”
The researchers explain the mechanics of the attack, including the location-specific elements. The analysts also note that many of the hacked sites use a “well-known content management system” that the threat actors modify to change how the website is presented to certain users, depending on how they arrive on the infected site.