Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

[mood]

Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

 

 

A framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads.

 

"The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft," Sophos researchers Gabor Szappanos and Andrew Brandt said in a write-up published today.

"In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself."

Dubbed "Gootloader," the expanded malware delivery system comes amid a surge in the number of infections targeting users in France, Germany, South Korea, and the U.S.

 

First documented in 2014, Gootkit is a Javascript-based malware platform capable of carrying out an array of covert activities, including web injection, capturing keystrokes, taking screenshots, recording videos, as well as email and password theft.

 

Over the years, the cybercrime tool has evolved to gain new information-stealing features, with the Gootkit loader repurposed in combination with REvil/Sodinokibi ransomware infections reported last year.

 

While campaigns using social engineering tricks to deliver malicious payloads are a dime a dozen, Gootloader takes it to the next level.

 

The infection chain resorts to sophisticated techniques that involve hosting malicious ZIP archive files on websites belonging to legitimate businesses that have been gamed to appear among the top results of a search query using manipulated search engine optimization (SEO) methods.

 

 

What's more, the search engine results point to websites that have no "logical" connection to the search query, implying that the attackers must be in possession of a vast network of hacked websites. In one case spotted by the researchers, an advice for a real estate agreement surfaced a breached neonatal medical practice based in Canada as the first result.

"To ensure targets from the right geographies are captured, the adversaries rewrite website code 'on the go' so that website visitors who fall outside the desired countries are shown benign web content, while those from the right location are shown a page featuring a fake discussion forum on the topic they've queried," the researchers said.

 

Clicking the search result takes the user to a fake message board-like page that matches not only the search terms used in the initial query but also includes a link to the ZIP file, which contains a heavily obfuscated Javascript file that initiates the next stage of compromise to inject the fileless malware fetched from a remote server into memory.

 

This takes the form of a multi-stage evasive approach that begins with a .NET loader, which comprises a Delphi-based loader malware, which, in turn, contains the final payload in encrypted form.

In addition to delivering the REvil ransomware and the Gootkit trojan, multiple campaigns have been spotted currently leveraging the Gootloader framework to deliver the Kronos financial malware in Germany stealthily, and the Cobalt Strike post-exploitation tool in the U.S.

 

It's still unclear as to how the operators gain access to the websites to serve the malicious injects, but the researchers suspect the attackers may have obtained the passwords by installing the Gootkit malware or purchasing stolen credentials from underground markets, or by leveraging security flaws in present in the plugins used alongside content management system (CMS) software.

"The developers behind Gootkit appear to have shifted resources and energy from delivering just their own financial malware to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware," said Gabor Szappanos, threat research director at Sophos.

"This shows that criminals tend to reuse their proven solutions instead of developing new delivery mechanisms. Further, instead of actively attacking endpoint tools as some malware distributors do, the creators of Gootloader have opted for convoluted evasive techniques that conceal the end result," he added.

 

 

Source: Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

[zanderthunder]

Cybercriminals now using fake forums to trick victims into downloading malware

 

Taking advantage of people looking for advice online, cybercriminals are now setting up traps in the form of fake forums, research reveals.

 

The study by cybersecurity firm Sophos explains that criminals would manipulate search engine optimisation (SEO) so that when someone types a question, hacked websites appear among the top results.

 

The criminals would earlier hack into legitimate websites and subtly alter the content, enabling it to show different content to different visitors.

 

Sophos threat research director Gabor Szappanos said the content that users see depends on their country location. For instance, if they are from a country that is not a target, they are shown benign fake web content and nothing happens.

 

However, if the user is from one of the targeted countries, they are shown a page featuring a fake discussion forum on whatever topic was queried, using the same terms they typed into the search engine.

 

Szappanos warned that the fake discussion forum would have a post from someone claiming to be a site administrator, with a comment prompting visitors to download a link. The link is a malicious file, and if downloaded will start the next stage of infection.

 

Sophos has named the infection method Gootloader, reflecting how it loads Gootkit financial malware, which in turn paves a way for other malware, including ransomware.

 

He said Gootloader is currently delivering Kronos financial malware in Germany, plus a post-exploitation tool called Cobalt Strike in the United States and South Korea. Earlier operations also targeted France.

 

“The developers behind Gootkit appear to have shifted resources from delivering just their own financial malware to steal credentials to creating a stealthy, complex delivery platform for all kinds of payloads,” said Szappanos.

 

He added that Gootloader’s creators are using a number of social engineering tricks that can fool even technically skilled IT users.

 

He said there are a few warning signs for users to look out for, such as search results that point to websites that have no logical connection to the advice they appear to offer, which display advice or download links that precisely match the search terms used in the initial question.

 

Szappanos suggested Windows users to turn off the “Hide Extensions for Known File Types” view setting in the Windows file explorer, which would enable users to see that the .zip download delivered by the attackers contains a file with a .js extension

 

Alternately, users can install script blockers like NoScript for Firefox, which would prevent the hacked web page from appearing in the first place.

 

Source: Cybercriminals now using fake forums to trick victims into downloading malware (via TheStar Online)