Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/2/2021
09:25 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Attacker Expands Use of Malicious SEO Techniques to Distribute Malware

The operators of REvil and Gootkit have begun using a tried and tested technique to distribute additional malware, Sophos says.

An innovative method that the operators of the REvil ransomware strain and the Gootkit banking Trojan have been using for years to distribute their malware is now being used to deliver other malware as well, including the Kronos Trojan and the Cobalt Strike attack kit.

Researchers from Sophos who have been tracking the threat have dubbed the delivery mechanism Gootloader. In a new report, they described the method as deserving close scrutiny for the manner in which it leverages malicious search engine optimization (SEO) techniques as part of the malware deployment process.

Related Content:

Malware Developers Refresh Their Attack Tools

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Securing Super Bowl LV

The method basically involves the attackers maintaining a fairly large network of servers hosting legitimate but previously compromised websites. In each instance, the attackers exploit vulnerabilities in the website's content management system to essentially inject a mostly unintelligible collection of words and phrases — commonly referred to as a "word salad."

The goal is to fool search engines into thinking a compromised website is about those words, when in reality it might be about something else entirely, says Chester Wisniewski, principal research scientist at Sophos. For example, one compromised website that Sophos observed being used in the Gootkit campaign belonged to a neonatal clinic in Canada. Because of the random collection of words and phrases that had been inserted into it, the site appeared as the top link in Google search results in response to a query about a very narrow type of real estate agreement.

"Maybe you search for 'connect Bluetooth toothbrush to Motorola Android phone,'" Wisniewski explains by way of an example. "It just so happens that the criminals had compromised an insecure WordPress site last week and amongst the word salad they injected were words like 'Motorola,' 'Android,' and 'toothbrush,'" he says. Google gets tricked into thinking the site is an expert on the topic and serves up the page as a top link in search results.

Because the result seems to match the original search query exactly, the user gets fooled into clicking on the link and ends up being directed to what appears to be a forum page on the compromised website, where people are seemingly discussing the identical topic. On the webpage is a download link, apparently posted by the forum administrator, to a document purporting to contain the answer to the user's search query. The link, too, contains the exact search terms and in the same order as used in the original search query. Users that click on the link end up downloading a ZIP file — again with the same search terms—containing a malicious JavaScript that is disguised to look like a document. "You open the 'document' and run the JavaScript, which infects your PC," Wisniewski says.

Constructing Payloads on the Fly
The JavaScript file is the only stage of the attack chain where a malicious file is written to the filesystem, according to the report. Every other malicious activity that is initiated after the script runs happens in memory and out of sight of most endpoint protection tools, the vendor notes.

The security vendor's analysis of Gootloader shows the mechanism is designed to serve up the fake forum page only to users who arrive at a compromised website by following a Google search result. The Gootloader process also determines whether the site visitor's computer is running an operating system with the specific language and geolocation preferences that the attackers are targeting. If any of these conditions are not met, the fake forum page is not served up to someone who ends up on the compromised website.

The adversaries have developed a method where the site from which the malicious file is downloaded is able to construct payloads "on the fly" with a file name that matches the original search query, Sophos says. The company found that users were searching for things as random as "Cisco WPA agreement" and "employee retention bonus agreement template" when they were presented with links to a compromised website purporting to have an answer to their specific query.

Sophos says the infection method appears to target only users conducting searches on Google. It also appears to mostly work for search types where there isn't a clearly credible expert page to send users to, Wisniewski adds. "It's very difficult to trick Google about 'Donald Trump' or 'Watergate,'" he notes. So, many of the searches where users end up on a compromised site are for odd combinations of generic things. "This is why the word salad approach works so well," he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-35196
PUBLISHED: 2021-06-21
** DISPUTED ** Manuskript through 0.12.0 allows remote attackers to execute arbitrary code via a crafted settings.pickle file in a project file, because there is insecure deserialization via the pickle.load() function in settings.py. NOTE: the vendor's position is that the product is not intended fo...
CVE-2010-1433
PUBLISHED: 2021-06-21
Joomla! Core is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to properly verify user-supplied input. An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauth...
CVE-2010-1434
PUBLISHED: 2021-06-21
Joomla! Core is prone to a session fixation vulnerability. An attacker may leverage this issue to hijack an arbitrary session and gain access to sensitive information, which may help in launching further attacks. Joomla! Core versions 1.5.x ranging from 1.5.0 and up to and including 1.5.15 are vulne...
CVE-2010-1435
PUBLISHED: 2021-06-21
Joomla! Core is prone to a security bypass vulnerability. Exploiting this issue may allow attackers to perform otherwise restricted actions and subsequently retrieve password reset tokens from the database through an already existing SQL injection vector. Joomla! Core versions 1.5.x ranging from 1.5...
CVE-2010-0413
PUBLISHED: 2021-06-21
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.