Gootkit malware crew using SEO to get pwned websites in front of unwitting marks

And they're getting into the ransomware game too, warns Sophos


Gootkit financial malware has been resurrected to fling ransomware payloads at unwitting marks, according to Sophos.

The infosec firm said today that “criminal operators have turned the infection method” for the malware “into a complex delivery platform for a wide range of malware, including ransomware.”

Gootkit is an exploit kit that has been around for a good few years. Originally its operators set out to compromise legitimate websites and redirect their traffic towards hostile sites containing malware.

Now, however, they’re using the eternally grey art of search engine optimisation (SEO) to get their malicious wares onto victims’ devices – and those malicious wares include payloads from the REvil ransomware crew, post-exploit artefacts from the Cobalt Strike tool and the Kronos banking malware.

The Bombardier C-Series jet assembly line in Canada

Clop ransomware gang leaks online what looks like stolen Bombardier blueprints of GlobalEye radar snoop jet

READ MORE

Gabor Szappanos, Sophos’ threat research director, said in a canned statement: “Gootloader’s creators use a number of social engineering tricks that can fool even technically skilled IT users. Fortunately, there are a few warning signs internet users can look out for.

“These include Google search results that point to websites for businesses that have no logical connection to the advice they appear to offer; advice that precisely matches the search terms used in the initial question; and a ‘message board’-style page,” he continued.

These fake websites contain either downloads or links to downloads, with the malware doing its thing once the unwitting user clicks the link.

Gootkit’s operators have also used email spam to distribute their original nasty, as Mailchimp found out the hard way in 2018.

Malware criminals cross-pollinating their wares isn’t new but it is growing in popularity as the “easy” financial gains from ransomware become more apparent, especially after the coronavirus pandemic prompted the entire world to move to online, many of them working remotely as well. Last week the Clop ransomware gang published snippets of stolen documents from aerospace firm Bombardier, with experts saying the Clop crew was acting as a reseller for a different bunch of crooks who did the actual stealing.

As for avoiding the Gootkit crew, Sophos’s advice was simple: “Script blockers like NoScript for Firefox could help web surfers remain safe by preventing the replacement of a hacked web page from appearing in the first place.” ®


Biting the hand that feeds IT © 1998–2021