Excellent SEO score before deploying malware to victims

March 13, 2021
seo gootkit remote access trojan malware

Hackers and threat actors are always innovative in terms of finding new ways to deploy malware payloads. Cybersecurity researchers have recently discovered a new scheme, and they have eyed search engine optimisation or SEO techniques as another method to deliver malware and malicious scripts.

Webmasters have used SEO optimisation to increase a website’s reach and exposure on search engines like Google and Bing search. But somehow, threat actors have found a way to tamper with the content management systems or CMS used on website management to spread malware, trojans, malicious tools and ransomware.

Security researchers belonging to a group have found a new technique dubbed “Gootloader” in a recent research report. This technique involves Gootkit Remote Access Trojan (RAT) deployment by delivering the infection framework initially; this also delivers several other malware packages.

In using this SEO technique, Gootkit RAT operators must maintain roughly 400 servers to achieve ranking success. It is still unknown how these hackers get a hold of the hacked legit websites used to host malicious download contents and links. Researchers assume that the compromised website and its backend could have been hijacked via stolen credentials, malware or brute force attacks.

 

As soon as the operators obtained privileged access to the good ranking SEO websites, they insert few codes into the web page’s body content.

 

Each of the Gootloader compromised websites is manipulated to return specific search queries to show as link result. A fake message board that has been deployed on the good ranking website will display the user query’s solution link. They seem to be able to rewrite the website’s contents, which will be presented to the visitor. The victim will then be taken to a message board or blog comments section in which people are discussing the same topic of interest along with a topic related direct download link.

Visitors that will click on the direct download link will receive a ZIP archive file named based on their query. Once opened, a Javascript or .js file will be executed, run in memory, and the malicious code will be decrypted to request and call other malware payloads.

his technique is currently being used to spread Gootkit banking trojan, Cobalt Strike, Kronos and REvil ransomware, and other malware variants in France, Germany, South Korea and the United States.

By proper user education, getting infected can be avoided once they recognise a malicious scheme’s signs. The main problem is that the social engineering employed by these hackers can fool even trained people. Tools that can detect these malicious scripts can certainly help web surfers remain safe, but not all use effective script detection tools.

About the author

Leave a Reply