The GootLoader malware has been spread through a recent Search Engine Optimisation (SEO) poisoning campaign targeting government and private sector employees.
The SEO operators created about 200 blog posts for a website based on the reports. The campaign has also been effective since the threat actors gathered genuine content from numerous similar websites.
The adversaries have also utilised blog post titles that an employee would search for when looking for foreign intelligence services. If a user gets baited by these poisoned results, they will be redirected to a site that downloads the GootLoader malware.
Most of the topics referred to by the attackers are commonly related to real estate, government organisations, legal issues, medical information, education, and more.
Several researchers have attributed the latest SEO campaign to the TAC-011 threat group. According to them, the group has targeted WordPress websites to create thousands of blog posts for SEO poisoning.
The GootLoader malware could collect different types of information.
If an unaware visitor access one of the fake results, they will be redirected to the GootLoader malware-operated script that harvests details regarding their operating system, IP address, and last recorded visit.
The attackers use the script to run a chain of reviews before finalising whether to present the users with the blog post or a compromised overlay that spoofs a forum thread. Additionally, users that receive the overlay cannot get it again within the next day. However, users that use Tor or VPN services are not directed to the overlay.
The researcher could not identify additional payloads launched by the baited targets and concluded that the hackers were careful in selecting the targeted entity.
Organisations should adequately train their employees about SEO attacks, especially in the government sector. This training could equip employees with the knowledge to avoid such attacks and linger away from running unknown files.