The Gootloader malware loader, previously used for distributing the Gootkit malware family, has undergone what researchers call a “renaissance” when it comes to payload delivery.
New research released this week paints Gootloader as an increasingly sophisticated loader framework, which has now expanded the number of payloads its delivers beyond Gootkit (and in some cases, the previously-distributed REvil ransomware), to include the Kronos trojan and the Cobalt Strike commodity malware.
Gootloader is known for its multi-stage attack process, obfuscation tactics, and for using a known tactic for malware delivery called search engine optimization (SEO) poisoning. This technique leverages SEO-friendly terms in attacker-controlled websites, in order to rank them higher in Google’s search index. In the end, the method brings more eyeballs to the malicious sites, which contain links that launch the Gootloader attack chain.
“The malware delivery method pioneered by the threat actors behind the REvil ransomware and the Gootkit banking Trojan has been enjoying a renaissance of late, as telemetry indicates that criminals are using the method to deploy an array of malware payloads in South Korea, Germany, France, and across North America,” said Gabor Szappanos and Andrew Brandt, security researchers with Sophos Labs on Monday.
What is the Gootloader Malware Tool?
Gootloader is a Javascript-based infection framework that was traditionally used for the Gootkit remote access trojan (RAT). The Gootkit malware family, which has been around for more than five years, has evolved over time into a mature trojans primarily aimed at stealing banking credentials.
While Gootloader was previously used as a vehicle to merely deliver the Gootkit malware, “In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself,” said researchers.
In addition to its use of SEO poisoning, what sets Gootloader apart is its fileless malware delivery tactics, they said. Fileless malware uses trusted, legitimate processes (in the case of Gootloader, PowerShell, for instance) that allows the malware delivery mechanism to evade antivirus products.
Gootloader Malware: Compromised, Legitimate Websites
In order to perform SEO poisoning, Gootloader attackers have first compromised a wide variety of legitimate websites, which they maintain on a network of roughly 400 servers, said researchers.
Researchers said, the operators of these legitimate, hacked websites do not seem to know their websites are being abused in this manner.
“It isn’t clear how the threat actors gain access to the backend of these sites, but historically, these kinds of website compromises may be the result of any of a number of methods: The attackers may simply obtain the sites’ passwords from the Gootkit malware itself, or from any of a number of criminal markets that trade in stolen credentials, or by leveraging any of a number of security exploits in the plugins or add-ons of the CMS software,” they said.
Using Google Search Engine Optimization For Malware Delivery
Gootloader attacker-compromised websites then tweak the content management systems of the websites to use key SEO tactics and terms. The goal here is to appear at the top of Google’s index when certain questions are typed into Google search.
For instance, typing the question “do I need a party wall agreement to sell my house?” turns up a legitimate website for a Canada-based neonatal medical practice, which has actually been compromised by Gootloader attackers.
The part of the website that has been compromised by attackers features a “message board” with a “user” asking the question “do I need a party wall agreement to sell my house?” This uses the exact same wording as the search query, as a way to rank higher on Google’s search index – even if it has nothing to do with the actual content of the compromised website.
On that “message board,” an “admin profile” then responds to the question with a link purporting to have more information.
“None of the site’s legitimate content has anything to do with real estate transactions – its doctors deliver babies – and yet it is the first result to appear in a query about a very narrowly defined type of real estate agreement,” said researchers. “Google itself indicates the result is not an ad, and they have known about the site for nearly seven years. To the end user, the entire thing looks on the up-and-up.”
Threatpost has reached out to Google for more information on how the company is battling such SEO poisoning types of attacks.
Gootloader Payload Delivery Mechanism
Gootloader’s payload delivery mechanism is complex and involves multiple stages.
Initially, when the website user clicks on the “admin” account’s link on the compromised website, they receive a ZIP archive file with a filename (again matching the search query terms used in the initial search). This file then contains another JS file (with the same name). JS extension files involve a text file containing JavaScript code, used to execute JavaScript instructions in webpages; the specific JS files in this attack typically invoke the Windows Scripting Host (wscript.exe) when run.
“This .js file is the initial infector, and the only stage of the infection at which a file is written to the filesystem,” said researchers. “Everything that happens after the target double-clicks this script runs entirely in memory, out of the reach of traditional endpoint protection tools.”
The first-stage script, which is obfuscated, attempts to contact the command-and-control (C2) server – if it successfully does so, the second-stage malware process then creates an auto-run entry for a PowerShell script that doesn’t execute until the system reboots, creating a stealthy way for attackers to sidestep detection.
“Because this next stage doesn’t completely execute until the next time the computer reboots, the target may not actually discover the infection until some hours or even days later – whenever they fully reboot Windows,” said researchers.
Once the computer reboots, the PowerShell script runs and begins a dominoes-like sequence of events, ending with Gootloader attempting to download its final payload.
“The Delphi loader contains the final payload – Kronos, REvil, Gootkit, or Cobalt Strike – in encrypted form,” said researchers. “In those cases, the loader decrypts the payload, then uses its own PE loader to execute the payload in memory.”
Other Malware Google SEO Abuse Tactics
The abuse of SEO to gain more eyeballs and traction to malicious sites is an age-old trick for cybercriminals, with examples of this type of tactic dating back to at least 2011. In 2017, cybercriminals poisoned Google search results in the hope of infecting users with a banking Trojan called Zeus Panda, for instance.
These types of attacks continue because they work, said researchers.
“Script blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools (or finds them convenient or even intuitive),” they said. “Even attentive users who are aware of the trick involving the fake forum page might not recognize it until it’s too late.”