Researchers have warned that Gootloader campaigns generally target users in the US, Germany, France, and South Korea.
The cybercriminal community has become quite sophisticated in its attack tactics to trick Google into displaying malicious search results and exposing millions of its users around the world at risk of malware infection.
In the latest, Gootloader is back with additional capabilities and exploits websites via Search Engine Optimisation (SEO) to spread nasty banking trojan like Kronos.
Gootloader expanding payload delivery mechanism
Gootloader is a malware loader that previously distributed the Gootkit malware. However, the latest research from Sophos cybersecurity firm reveals that the Gootloader has evolved into a sophisticated loader framework and has expanded its payload delivery beyond the Gootkit family of malware.
Sophos claims that the Gootloader campaigns generally target users in the US, Germany, France, and South Korea.
What is Gootloader?
Its delivery method has significantly improved as it has gone into the NodeJS-based malware.
How it uses Google SEO Poisoning
Gootloader can now gain traction using Google SEO poisoning and launches a multi-stage attack process. Researchers state that the malware loader uses SEO poisoning for malware delivery.
SEO poisoning is an old tactic in which the loader leverages SEO-friendly keywords/terms in websites controlled by the attacker. This allows the websites to rank higher in Google’s search index, and unsuspecting users are drawn towards these compromised websites. The sites usually contain links that immediately launch the Gootloader attack chain.
Gootloader malware using hacked websites
To perform SEO poisoning, Gootloader attackers have compromised a wide range of legit websites, which they maintain on a network of 400 servers.
It is unclear how attackers gain access to the websites’ backend, but traditionally, this kind of compromise stems from many different methods.
“The attackers may simply obtain the sites’ passwords from the Gootkit malware itself, or from any of a number of criminal markets that trade in stolen credentials, or by leveraging any of a number of security exploits in the plugins or add-ons of the CMS software,” researchers stated in a blog post.
Fileless Malware Delivery
Apart from using SEO poisoning, another tactic that sets the Gootloader apart is that it performs fileless malware delivery. In fileless malware delivery, legitimate and trusted processes such as PowerShell are used to evade anti-virus products and ensure uninterrupted malware delivery.
There are several search engines out there however if you prefer using Google, do not trust every result without taking security precautions. Make sure you have an updated anti-malware software installed on your system and make it a habit to scan files or links before opening them.