Hackers use black hat SEO to push ransomware, trojans via Google
The delivery system for the Gootkit information stealer has evolved into a complex and stealthy framework, which earned it the name Gootloader, and is now pushing a wider variety of malware via hacked WordPress sites and malicious SEO techniques for Google results.
Apart from increasing the number of payloads, Gootloader has been seen distributing them across multiple regions from hundreds of hacked servers that are active at all times.
Fake forums start the malware flow
Malware campaigns relying on Gootloader’s mechanism have been spotted last year delivering REvil ransomware to targets in Germany. The activity marked a restart of Gootkit operations that took a long break after a data leak towards the end of 2019.
The actors regrouped by forming a vast network of hacked WordPress sites and using SEO poisoning to show in Google forum posts fake forums with malicious links.
The fake message boards appear only to visitors from specific geographies and present them a “discussion” that allegedly contains the answer to their query in a post from “site administrator,” who publishes a link to a malicious file.
A report today from cybersecurity company Sophos estimates that Gootloader controls about 400 servers active at any time that host hacked, legitimate websites.
The researchers say that the threat actor modified the content management system (CMS) of the hacked websites to show the fake message boards to visitors from specific locations.
In an example of a hacked site that is part of the Gootloader framework, the fake forum post appears to provide an answer for a very specific search query related to real estate transactions.
However, the result is on a site for a neonatal medical practice that has nothing in common with the searched topic, “yet it is the first result to appear in a query about a very narrowly defined type of real estate agreement.”
Apart from the typical payload, Gootkit and REvil ransomware, Gootloader has also been observed to deliver Kronos trojan and the Cobalt Strike threat emulation toolkit.
According to Sophos, Gootloader campaigns target visitors from the U.S. Germany, and South Korea. Another country that’s been targeted previously is France.
Clicking on the link takes the visitor to a ZIP archive of a JavaScript file that acts as the initial infector. Sophos notes that this is the only stage where a file is written to disk and that all the other malware is deployed in the system memory, so traditional security tools can’t detect it.
All forum posts look the same, regardless of their language. If the visitor does not match the target profile, they see a fake page with text that looks normal at the beginning but turns into an unintelligible ramble towards the end.
Twists and turns of the infection chain
The initial JavaScript payload is twice obfuscated to evade detection from traditional antivirus solutions. It also includes two layers of encryption to strings and data blobs that relate to the next stage of the attack, which is the sole purpose of the malicious code.
If the move to the second stage is successful, the Gootloader command and control (C2) server delivers a string of numeric values that represent ASCII characters, which is loaded into the system memory.
“This stage contains a large blob of data that it, first, decodes from its numeric value into text, then writes directly into a series of keys in the Windows Registry, under the HKCUSoftware hive” – Sophos
The same method was observed last year by Malwarebytes when the researchers analyzed the delivery of REvil ransomware to German targets via Gootkit’s delivery framework.
In the next step, an autorun entry is created for a PowerShell script so that it loads at each system reboot. It’s purpose is to decode the contents written earlier in the registry keys. This ultimately ends with downloading the final payload, which can be Gootkit, REvil, Kronos, or Cobalt Strike.
Sophos says that the latest Gootloader samples use the registry to store two payloads, a small C# executable which is responsible with extracting a second executable from the data stored in Windows Registry.
This second executable is Gootloaders final payload, an intermediary dotNET injector that deploys a Delphi-based malware using the process hollowing technique.
Sophos saw at least two legitimate applications used for this process: the ImagingDevices.exe system component that is available in Windows and the Embarcadero External Translation Manager.
This Delphi malware is the last link in the infection chain as it includes a encrypted copy of REvil, Gootkit, Cobalt Strike, or Kronos. It decrypts the payload it carries and executes it in memory.
All these twists and turns at each stage of the attack are buying the attacker some time to carry out their campaigns as malware analysts can spend a lot of time understanding every step in the infection chain.
Furthermore, Sophos says that there are multiple variations for the delivery methods that involve additional PowerShell scripts, Cobalt Strike modules, or code-injector executables.
The researchers say that using script blockers could keep users at bay from this threat as they can prevent the replacement of the hacked page. However, this solution is popular with a small number of users and a large pool of potential victims still remains.
Sophos has published a technical analysis of the Gootloader infection chain and makes available on its GitHub page indicators of compromise and a Yara rule for its malicious JavaScript files.
Update [March 2, 2021]: Microsoft confirmed today the Gootloader infection method and said that it is seeing numerous attacks, most of them targeting Germany.