The ransomware delivery system for the information thief Gootkit has evolved into a complex structure that has earned it a new name: Gootloader. The malicious program is now distributing a wider variety of malware through hacked WordPress sites and malicious SEO techniques to trick Google’s algorithm for results.
Known as black hat SEO, it is an aggressive optimization technique for search engines that tries to manipulate your rules in order to obtain the best positions in the Google ranking, for example. The name black hat is an allusion to western movies, in which bandits generally wore black hats.
In addition to increasing the number of payloads, Gootloader was seen distributing them in several regions from hundreds of hacked servers that are active all the time. Malware campaigns that depend on the Gootloader engine were detected last year to install the REvil ransomware for targets in Germany. The activity marked the resumption of Gootkit operations, which took a long break after a data leak in late 2019.
Hackers have regrouped by forming a vast network of hacked WordPress sites and using SEO poisoning to show fake forum posts with malicious links on Google forums.
A recent report released by cybersecurity company Sophos estimates that Gootloader controls about 400 active servers at any given time that host legitimate hacked websites. The company’s researchers say the threat operator has modified the content management system (CMS) of the hacked sites to show fake message boards to visitors from specific locations.
In an example of a hacked website that is part of the Gootloader framework, the fake forum post appears to provide an answer to a very specific search query related to real estate transactions. However, the result is on a website for a neonatal medical practice that has nothing in common with the researched topic, “but it is the first result to appear in a consultation on a very restricted type of real estate contract”.
In addition to the typical payload, the Gootkit and the REvil ransomware, the Gootloader also distributes the Kronos trojan and the Cobalt Strike threat emulation toolkit. According to Sophos, the Gootloader campaigns target visitors from Germany, the USA and South Korea. Another country that was previously targeted is France.
All forum posts look the same, regardless of language. If the visitor does not match the destination profile, they will see a fake page with text that looks normal at the beginning, but turns into an unintelligible walk at the end.
Twists in the chain of infection
“This stage contains a large bubble of data which it first decodes from its numeric value into text and then writes directly to a series of keys in the Windows Registry, in the HKCU Software section,” says Sophos. The company says that the latest Gootloader samples use the registry to store two payloads, a small C # executable that is responsible for extracting a second executable from the data stored in the Windows registry. This second executable is the final load Gootloaders, an intermediate .Net injector that deploys Delphi-based malware using the process emptying technique.
This Delphi malware is the last link in the infection chain, as it includes an encrypted copy of REvil, Gootkit, Cobalt Strike or Kronos. It decrypts the load it carries and executes it in memory.
All of these twists at each stage of the attack are giving the attacker some time to run their campaigns, as malware analysts can spend a lot of time understanding each step of the infection chain. Sophos says there are several variations to the delivery methods that involve additional PowerShell scripts, Cobalt Strike modules or executable code injectors.
See the original post at: https://www.cisoadvisor.com.br/hackers-usam-black-hat-seo-para-enviar-ransomware-e-trojans-via-google/?rand=59039