The operators of REvil and Gootkit have started using a proven technique to spread additional malware, says Sophos.

An innovative method that the operators of the REvil ransomware strain and the Gootkit banking trojan have been using for years to distribute their malware is now being used to deliver other malware, including the Kronos trojan and the Cobalt Strike attack kit.

Sophos researchers who tracked the threat named the delivery mechanism gootloader. A new report stated that the method deserves a close examination of the way in which malicious search engine optimization (SEO) techniques are used as part of the malware delivery process.

Essentially, the method involves the attackers maintaining a fairly large network of servers hosting legitimate but previously compromised websites. In either case, the attackers exploited vulnerabilities in the website’s content management system to essentially insert a largely incomprehensible collection of words and phrases commonly referred to as “word salad”.

The goal is to trick search engines into thinking a compromised website is about those words when in reality it might be something completely different, says Chester Wisniewski, principal research scientist at Sophos. For example, a compromised website that Sophos saw being used in the Gootkit campaign belonged to a neonatal clinic in Canada. Due to the random collection of words and phrases that were inserted into the website, the website appeared as the top link in Google search results in response to a query about a very narrow type of real estate agreement.

“You might be looking for ‘connect a Bluetooth toothbrush to a Motorola Android phone,'” explains Wisniewski using an example. “It’s just that the criminals compromised an unsafe WordPress site last week and among the words they injected were words like ‘Motorola’, ‘Android’ and ‘toothbrush’,” he says. Google is tricked into believing that the website is an expert on the subject and that the page will serve as the top link in search results.

Since the result appears to match the original search query exactly, the user is tricked into clicking the link and is ultimately directed to a forum page on the compromised website that appears to be discussing the same topic. There is a download link on the web page, apparently posted by the forum administrator, to a document that supposedly contains the answer to the user’s query. The link also contains the exact search terms and in the same order as in the original search query. Users who click the link end up downloading a zip file – also with the same search terms – that contains malicious JavaScript disguised to look like a document. “You open the ‘document’ and run the JavaScript that infects your PC,” says Wisniewski.

Construct payloads on the fly
According to the report, the JavaScript file is the only stage in the chain of attacks in which a malicious file is written to the file system. Any other malicious activity that is triggered after the script is executed takes place in memory and is not visible to most endpoint protection tools.

The analysis of the security provider of Gootloader shows that the mechanism is designed in such a way that the fake forum page is only made available to users who arrive at a compromised website via a Google search result. The gootloader process also determines whether the site visitor’s computer is running an operating system with the specific language and geolocation settings that the attackers are targeting. If either of these conditions is not met, the fake forum page will not be sent to anyone who lands on the compromised website.

Opponents have developed a method that allows the site from which the malicious file is downloaded to generate payload “on the fly” with a filename that matches the original search query, Sophos says. The company found that users were looking for random things like “Cisco WPA Agreement” and “Loyalty Bonus Agreement Template” when they were presented with links to a compromised website that supposedly had an answer to their specific request.

According to Sophos, the infection method is apparently only aimed at users who search on Google. It also seems to work primarily for search types where there isn’t a clearly credible expert site to send users to, Wisniewski adds. “It is very difficult to fool Google about ‘Donald Trump’ or ‘Watergate’,” he says. As a result, many of the searches that land users on a compromised website are looking for strange combinations of generic things. “That’s why the word salad works so well,” he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in specialist IT journalism. Most recently, he was Senior Editor at Computerworld, where he dealt with information security and data protection issues for publication. Over the course of his 20 year … View Full Bio

Recommended literature:

More insights