Malware Loader Abuses Google SEO to Expand Payload Delivery

The Gootloader malware loader, previously used for distributing the Gootkit malware family, has undergone what researchers call a “renaissance” when it comes to payload delivery. New research released this week paints Gootloader as an increasingly sophisticated loader framework, which has now expanded the number of payloads its delivers beyond Gootkit (and in some cases, the previously-distributed REvil ransomware), to include the Kronos trojan and the Cobalt Strike commodity malware. Gootloader is known for its multi-stage attack process, obfuscation tactics, and for using a known tactic for malware delivery called search engine optimization (SEO) poisoning. This technique leverages SEO-friendly terms in attacker-controlled websites, in order to rank them higher in Google’s search index. In the end, the method brings more eyeballs to the malicious sites, which contain links that launch the Gootloader attack chain. “The malware delivery method pioneered by the threat actors behind the REvil ransomware and the Gootkit banking Trojan has been enjoying a renaissance of late, as telemetry indicates that criminals are using the method to deploy an array of malware payloads in South Korea, Germany, France, and across North America,” said Gabor Szappanos and Andrew Brandt, security researchers with Sophos Labs on Monday. What is the Gootloader Malware Tool? Gootloader is a Javascript-based infection framework that was traditionally used for the Gootkit remote access trojan (RAT)….

Source