The Gootloader malware loader operation has returned after a 7-month absence and is once again performing SEO poisoning to promote fake websites that distribute the malware.
Gootloader is a JavaScript-based malware loader spread through compromised or attacker-controlled websites, used to trick users into downloading malicious documents.
The websites are promoted in search engines either via ads or through search engine optimization (SEO) poisoning, which ranks a website higher in the results for a particular keyword, like legal documents and agreements.
Malicious ad for an NDA template
Source: Gootloader researcher
In the past, these websites would display fake message boards that pretended to discuss users' query, with some posts recommending (malicious) document templates that could be downloaded. The SEO campaigns later switched to using websites that pretend to offer free templates for various legal documents.
Fake agreement and legal document template site
Source: Gootloader researcher
When a visitor clicked the "Get Document" button, the site checked if they were a legitimate user and, if so, downloaded an archive containing a malicious document with a .js extension. For example, the archive could include a file named mutual_non_disclosure_agreement.js.
Gootloader would execute when launching the document and downloaded additional malware payloads onto the device, including Cobalt Strike, backdoors, and bots that provided initial access to corporate networks. Other threat actors then used this access to deploy ransomware or conduct other attacks.
... continue reading