You are here
Home > News > Hackers now use SEO Malware to launch coordinated attacks

Hackers now use SEO Malware to launch coordinated attacks

Hackers now use SEO Malware to launch coordinated attacks

Due to Gootkit RAT, Hackers can now exploit websites to give them excellent SEO before deploying malware. Sophos reported that the said method of search engine “deoptimization” includes both search engine optimization tricks and the human psychology abuse to push compromised sites to the rankings of Google.

The cybersecurity team revealed in a blog post published on Monday that this method, dubbed “Gootloader,” has to do with deploying an infection framework for the Gootkit RAT (Remote Access Trojan) that also offers a wide array of malware payloads.

Meet Gootkit RAT – The SEO Malware

Using search engine optimization as a method of deploying Gootkit Remote Access Trojan isn’t a little operation. According to an estimate by researchers, a server network – 400 or more – needs to be maintained at any time to be successful.

Even though it’s not known if they use any particular exploit to compromise the affected domains, the researchers stated that the CMSs that run the websites’ backend have likely been hijacked through malware, brute-force attacks or stolen credentials.

As soon as these threat actors were able to gain access, some code jokes are inserted into the website content’s body.

Websites that Gootloader comprise are manipulated for answering particular search queries. In hijacked sites that Sophos observe, a constant theme is the fake message boards, whereby “subtle” changes are made, so the website contents that are shown to particular visitors are rewritten.

If the criteria of the attackers are not met, the browser is going to seemingly show a normal webpage, which will finally change to garbage text.

You’ll then see a fake forum post that contains the query’s apparent answer and also a direct download link. In an example that the team discussed, a legit neonatal clinic’s site was compromised to display fake answers to questions that have to do with real estate.

Any victim that presses the direct download link buttons will get an archive file with the .zip extension, with a name related to the search term, which has a .js file in it. That .js file will execute, run in memory, then decrypt an obfuscated code to call any other payload(s).

Sophos reported that they use this technique to distribute the Gootkit banking Trojan, REvil ransomware, Cobalt Strike, and Kronos, among the malware variations, in the United States, France, Germany, and South Korea.

Interesting Reads

Chandra Palan

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Top