An innovative method that the operators of the REvil ransomware strain and the Gootkit banking Trojan have been using for years to distribute their malware is now being used to deliver other malware as well, including the Kronos Trojan and the Cobalt Strike attack kit.
Researchers from Sophos who have been tracking the threat have dubbed the delivery mechanism Gootloader. In a new report, they described the method as deserving close scrutiny for the manner in which it leverages malicious search engine optimization (SEO) techniques as part of the malware deployment process.
The method basically involves the attackers maintaining a fairly large network of servers hosting legitimate but previously compromised websites. In each instance, the attackers exploit vulnerabilities in the website's content management system to essentially inject a mostly unintelligible collection of words and phrases — commonly referred to as a "word salad."
The goal is to fool search engines into thinking a compromised website is about those words, when in reality it might be about something else entirely, says Chester Wisniewski, principal research scientist at Sophos. For example, one compromised website that Sophos observed being used in the Gootkit campaign belonged to a neonatal clinic in Canada. Because of the random collection of words and phrases that had been inserted into it, the site appeared as the top link in Google search results in response to a query about a very narrow type of real estate agreement.
"Maybe you search for 'connect Bluetooth toothbrush to Motorola Android phone,'" Wisniewski explains by way of an example. "It just so happens that the criminals had compromised an insecure WordPress site last week and amongst the word salad they injected were words like 'Motorola,' 'Android,' and 'toothbrush,'" he says. Google gets tricked into thinking the site is an expert on the topic and serves up the page as a top link in search results.
Constructing Payloads on the Fly
The security vendor's analysis of Gootloader shows the mechanism is designed to serve up the fake forum page only to users who arrive at a compromised website by following a Google search result. The Gootloader process also determines whether the site visitor's computer is running an operating system with the specific language and geolocation preferences that the attackers are targeting. If any of these conditions are not met, the fake forum page is not served up to someone who ends up on the compromised website.
The adversaries have developed a method where the site from which the malicious file is downloaded is able to construct payloads "on the fly" with a file name that matches the original search query, Sophos says. The company found that users were searching for things as random as "Cisco WPA agreement" and "employee retention bonus agreement template" when they were presented with links to a compromised website purporting to have an answer to their specific query.
Sophos says the infection method appears to target only users conducting searches on Google. It also appears to mostly work for search types where there isn't a clearly credible expert page to send users to, Wisniewski adds. "It's very difficult to trick Google about 'Donald Trump' or 'Watergate,'" he notes. So, many of the searches where users end up on a compromised site are for odd combinations of generic things. "This is why the word salad approach works so well," he says.