SEO poisoning is a malicious tactic where threat actors manipulate search engine results to promote harmful websites by exploiting trending keywords.
This approach not only risks personal information but can also damage the reputations of legitimate businesses.
Cybersecurity researchers at Sophos recently discovered that Gootloader malware has been actively targeting Bengal cat lovers by poisoning Google search results.
GootLoader is an advanced malware platform used by threat actors on the REVil ransomware and Gootkit banking trojan that expanded into a multi-stage setup where initial access is provided as a service.
Attend a Free Webinar on How to Maximize Cybersecurity Program ROI
It primarily functions via SEO poisoning, where threat actors use Google searches to redirect the target to the compromised website.
.webp)
When users click on these legitimate-appearing links, the malware attack sequence of three stages is initiated:-
- First, it downloads a malicious .zip file that contains obfuscated JavaScript.
- The next target is to deploy a second-stage payload, which creates persistence via Windows Task Scheduler and WScript.exe execution.
- Lastly, it delivers an advanced information stealer and RAT dubbed “GootKit.”
By using the “PowerShell” commands, the RAT maintains persistence in the victim’s network and can deploy Cobalt Strike or ransomware.
The malware’s authors have implemented the use of advanced file name obfuscation methodology (using random numerical sequences), considerably obfuscated JavaScript code masked with legitimate-looking licensing comments, as well as for the evasion of system pathways it directs to AppDataRoaming.
The newest one (3.0) also composes files named “Huthwaite SPIN selling.dat” and “Small Units Tactics.js” and sets up task schedules with the titles of “Business Aviation” and “Destination Branding” effective in enhancing its persistence in an infected machine, reads the report.
The malicious JavaScript file “Are_bengal_cats_legal_in_australia_72495.js” exhibited a complex execution chain where “WScript.exe” initially created a file in “C:Users
Besides this, there is no sign that Windows Sysinternals Process Monitor tracked disk write or deletion events.
The execution flow moved on when Process Hacker registered CScript.exe and PowerShell.exe processes, spawning instances of conhost.exe.
The malware used irregularities, such as the scheduled task “Destination Branding,” to launch CScript.exe, which executed the smallu1.js command wscript SMALLU1.js, which helps establish persistence.
Here the PowerShell.exe is unveiled by the network analyzers (Wireshark and FakeNet) this makes the “HTTP GET” requests to multiple domains with “/xmlrpc.php” endpoints.
Not only that even, it also transmits the “Base64-encoded” cookies containing system reconnaissance data (directory paths like “C:Users
The malware showcased flexibility as it could drop secondary JavaScript payloads in any of the folders that were already created under the AppDataRoaming directory.
The network indicators were classified as malware/callhome signatures by researchers and categorized the first Javascript as JS/Drop-DIJ and the second payload as JS/Gootkit-AW variants, this shows the malicious character of the files which were analyzed.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!