Gootloader targets oddly specific Google searches

The latest Gootloader campaign is targeting users searching oddly specific subjects such as  California breakroom laws and whether Bengal cats are legal in Australia.

The campaign leverages Search Engine Optimization (SEO) poisoning, a technique in which threat actors optimize a compromised website to rank highly in search results, in this case for generic legal templates, agreements, and documents.

Be the first to know of emerging threats.

Sign up to get our analysts' insights on emerging cyberattacks, vulnerabilities, and more sent straight to your inbox.

Opt in

Once visited, the sites instruct the user to download a ZIP file that purportedly contains what they were searching for but actually contains malicious JavaScript.

Once executed, this JavaScript initiates a multi-stage malware installation, deploying tools to steal data or gain unauthorized remote access.

Source: The Hacker News

Analysis

Gootloader is well known for using SEO to deliver malware to potential victims. However, usually, the group sticks to slightly more generic search subjects, such as sample agreements for things like “joint driveway access” and “employee housing”.

In May 2024, Field Effect observed a Gootloader campaign that redirected users searching for a letter of withdrawal from agreement template to a compromised website where users were instructed to download the template. Upon analysis, Field Effect determined that this file contained a malicious javascript that, when executed, installs the first stage of Gootloader malware.

It's unclear if Gootloader was specifically targeting Australians interested in owning a Bengal cat or if this is just another potential search result Gootloader can leverage to spread its malware. It’s possible that Gootloader deliberately chooses search results that aren’t common to avoid drawing attention to their malicious operations.

Regardless, this campaign highlights the importance of not blindly trusting search results returned by Google and other search engines.

Mitigation

Field Effect MDR users are automatically alerted when threat-related activity related to groups like Gootloader is detected in their environment. These AROs should be reviewed via the Field Effect Portal as soon as possible.

To lessen the impact of the risk posed by SEO poisoning, Field Effect encourages users to:

• Keep their browser up to date;
• Configure anti-virus solutions to automatically scan files downloaded by browsers;
• Avoid visiting suspicious websites and adhere to any security notifications displayed by the browser (e.g. expired website certificates, unsecure connection, etc.); and
• Rely on official, reputable sources when downloading content such as templates and samples.

Related Articles

• Sample templates abused in recent Gootloader campaign
• New backdoor malware impersonating Palo Alto’s GlobalProtect
• ‘It’s-a me”…Malware! Trojanized Super Mario Game contains crypto miners