Hackers use black hat SEO to send ransomware and trojans via Google

The ransomware delivery system for the information thief Gootkit has evolved into a complex structure that has earned it a new name: Gootloader. The malicious program is now distributing a wider variety of malware through hacked WordPress sites and malicious SEO techniques to trick Google’s algorithm for results.

Known as black hat SEO, it is an aggressive optimization technique for search engines that tries to manipulate your rules in order to obtain the best positions in the Google ranking, for example. The name black hat is an allusion to western movies, in which bandits generally wore black hats.

In addition to increasing the number of payloads, Gootloader was seen distributing them in several regions from hundreds of hacked servers that are active all the time. Malware campaigns that depend on the Gootloader engine were detected last year to install the REvil ransomware for targets in Germany. The activity marked the resumption of Gootkit operations, which took a long break after a data leak in late 2019.

Hackers have regrouped by forming a vast network of hacked WordPress sites and using SEO poisoning to show fake forum posts with malicious links on Google forums.

A recent report released by cybersecurity company Sophos estimates that Gootloader controls about 400 active servers at any given time that host legitimate hacked websites. The company’s researchers say the threat operator has modified the content management system (CMS) of the hacked sites to show fake message boards to visitors from specific locations.

In an example of a hacked website that is part of the Gootloader framework, the fake forum post appears to provide an answer to a very specific search query related to real estate transactions. However, the result is on a website for a neonatal medical practice that has nothing in common with the researched topic, “but it is the first result to appear in a consultation on a very restricted type of real estate contract”.

In addition to the typical payload, the Gootkit and the REvil ransomware, the Gootloader also distributes the Kronos trojan and the Cobalt Strike threat emulation toolkit. According to Sophos, the Gootloader campaigns target visitors from Germany, the USA and South Korea. Another country that was previously targeted is France.

Clicking on the link takes the visitor to a Zip file of a JavaScript file that acts as the initial infectious. The researchers note that this is the only stage where a file is written to the disk and that all other malware is implanted into the system’s memory, so traditional security tools cannot detect it.

All forum posts look the same, regardless of language. If the visitor does not match the destination profile, they will see a fake page with text that looks normal at the beginning, but turns into an unintelligible walk at the end.

Twists in the chain of infection

The initial payload of JavaScript is twice overshadowed to avoid detecting traditional antivirus solutions. It also includes two layers of encryption for data strings and blobs that relate to the next stage of the attack, which is the sole purpose of the malicious code. If the move to the second stage is successful, the command and control server (C2) Gootloader provides a sequence of numeric values ​​representing ASCII characters, which is loaded into the system’s memory.

Look this
Revil Ransomware displays access to Union Bank of Nigeria server
Trojan Trickbot is back in new malicious spam campaign

“This stage contains a large bubble of data which it first decodes from its numeric value into text and then writes directly to a series of keys in the Windows Registry, in the HKCU Software section,” says Sophos. The company says that the latest Gootloader samples use the registry to store two payloads, a small C # executable that is responsible for extracting a second executable from the data stored in the Windows registry. This second executable is the final load Gootloaders, an intermediate .Net injector that deploys Delphi-based malware using the process emptying technique.

This Delphi malware is the last link in the infection chain, as it includes an encrypted copy of REvil, Gootkit, Cobalt Strike or Kronos. It decrypts the load it carries and executes it in memory.

All of these twists at each stage of the attack are giving the attacker some time to run their campaigns, as malware analysts can spend a lot of time understanding each step of the infection chain. Sophos says there are several variations to the delivery methods that involve additional PowerShell scripts, Cobalt Strike modules or executable code injectors.

The researchers say that using script blockers can keep users away from this threat as they can prevent the hacked page from being replaced. However, this solution is popular with a small number of users and a large group of potential victims still remains. Sophos has published a technical analysis of the Gootloader infection chain and makes compromise indicators and a rule of thumb available on its GitHub page. Yara for your malicious JavaScript files.