How Gootkit Rat Use SEO to Distribute Malware Using Compromised Sites?

An updated framework is used by the attackers while delivering the banking trojan to the affected users that also includes malware payloads.

According to the experts, this Gootkit malware is a mature Trojan virus that has the function to use the banking credential theft. In recent years, the attackers are improving the malware with the help of NodeJS. And they also target the victims located in France, Germany, United States, and South Korea.

This attack was first reported in 2014, this malware is javascript-based and has the capabilities to carry out activities that include web injection, stealing keystrokes, recording videos, capturing passwords, and many more.

This entire malware campaign followed social engineering methods that deliver several payloads and take the Gootloader to next level.

What Happened Exactly?

However, this entire attack was worked on sophisticated methods that deal with hosting of multiple ZIP files on the websites that use further for legitimate purposes and will be appeared in top results while searching the query, this entire process is done by manipulating the SEO methods.

How Gootkit Rat Use SEO to Distribute Malware Using Compromised Sites

This search engine points to the websites that have no logical connections while searching the query and improving the attacker’s possession while hacking the websites. While researchers identified one case that advice for real estate agreements and faced the breached with neonatal medical practices those are based in Canada as the first result.

The researcher also added that the right geographies are stored and they rewrite the website code while ongoing the on the go visitors who fall into the desired countries and uploaded the web content. While the users are from the right location see a fake forum based on the topic they searched.

While clicking on that search results the users were redirected to the fake message that shows the information about the search terms and the query that holds the link on the ZIP file is obfuscated with Javascript and begins the next level of injecting data while starting the compromise that begins from the remote server to the memory.

This form had multiple stages and an evasive approach that opens the .NET folder and comprises Delphi-based malware that contains the final payload in encrypted form.

While adding the malware named Revil ransomware and Gootkit trojan, several attacks are spotted that leveraging the Gootloader framework and deliver the Kronos malware into Germany stealthily, the Cobalt Strike post tool can exploit in the United States.

It is not clear that how the attackers use the malware while infecting the website that serves the multiple malware, according to the investigation the attackers may use the passwords that were stolen by using Gootkit malware or they can purchase the stolen credentials from the hacker’s forums. The entire attack depends on manipulating the security flaws present in the plugins that are used in CMS software.

Summering Up

These overall findings are managed by Microsoft in a series of tweets and nothing is extensive. However, the hinds-on-keyboard attacks are emanating the Gootkit malware which is also distributed with drive-by downloads as Javascript in a ZIP file.

The attackers behind this attack are shifting the resources and energy by delivering their financial malware that creates the stealthy, and complex delivery of other platforms and all kinds of payloads which includes Revil ransomware.

These attacks that cybercriminals are using while providing the solutions and developing the updated delivery mechanisms. Apart from that, the attacks are actively using the endpoint tools and some malware distributes. The creators of Gootloader are now using the updated techniques while improving the results.

Leave a Reply