“Gootloader” secretly infects internet users with malware and ransomware

New research from Sophos shows how criminal operators have turned the infection method for “Gootkit” financial malware into a complex delivery platform for a wide range of malware, including ransomware. Sophos researchers have named the delivery platform, “Gootloader.”

Gootloader attackers reach their targets by hacking into legitimate websites and subtly altering the content. As a result, the websites can show different content to different visitors.

The criminal operators manipulate search engine optimization (SEO) so that when someone types a question into a search engine such as Google, the hacked websites appear among the top results. What happens after users click on a link to a hacked website depends upon their country location.

For instance, if a user from a country that is not a “target” clicks on a hacked website, they are shown benign fake web content and nothing happens.

However, if users from one of Gootloader’s targeted countries click on a hacked website, they are shown a page featuring a fake discussion forum on the very topic they queried, using the same terms they typed into the search engine. The fake websites look the same regardless of whether they are in English, German or Korean.

The fake discussion forum includes a post from a “site administrator,” with a link to a download. The download is a malicious file. If targets click on it, the next stage of infection begins.

From this point on, attacks proceed undercover, delivering the malicious payload to targets using a wide range of evasion techniques to avoid detection by security tools.

Gootloader is currently delivering Kronos financial malware in Germany, and a post-exploitation tool called Cobalt Strike in the US and South Korea. The attackers have also delivered REvil ransomware and the Gootkit trojan itself as payloads. Earlier operations targeted France.

“The developers behind Gootkit appear to have shifted resources from delivering just their own financial malware to steal credentials to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware,” said Gabor Szappanos, threat research director at Sophos. “Gootloader’s creators use a number of social engineering tricks that can fool even technically skilled IT users. Fortunately, there are a few warning signs internet users can look out for. These include Google search results that point to websites for businesses that have no logical connection to the advice they appear to offer; advice that precisely matches the search terms used in the initial question; and a ‘message board’-style page that looks identical to the examples shown in the Sophos research, featuring text and a download link that also precisely matches the search terms used in the initial Google search.”

To protect against delivery systems such as Gootloader:

  • Windows users can turn off the “Hide Extensions for Known File Types” view setting in the Windows file explorer as this will allow them to see that the .zip download delivered by the attackers contains a file with a .js extension

  • Script blockers like NoScript for Firefox could help web surfers remain safe by preventing the replacement of a hacked web page from appearing in the first place

  • Installing a comprehensive security solution that can scan for suspicious behavior from code running in computer memory

Sophos Intercept X protects users by detecting the actions and behaviors of malware like Gootloader. The first stage javascript files is detected as: AMSI/GootLdr-A. The PowerShell loader is detected as: AMSI/Reflect-H or Exec_12a. Indicators of compromise for this analysis have been posted to the SophosLabs Github.