Cyber attackers have turned to search engine optimization (SEO) techniques to deliver malware payloads to as many victims as possible.
According to Sophos, the so-called “de-optimization” method for search engines involves both SEO tricks and the misuse of human psychology to get websites that have been compromised in Google’s rankings.
SEO optimization is used by webmasters to increase the awareness of their website in search engines like Google or Bing. Sophos says threat actors are now manipulating website content management systems (CMS) to deliver financial malware, exploit tools, and ransomware.
In a blog post on Monday, the cybersecurity team said the technique known as the “Gootloader” involves providing the infection framework for the Gootkit Remote Access Trojan, which also provides a variety of other malware payloads.
Using SEO as a technique to deliver Gootkit RAT is no small operation. The researchers estimate that a network of servers – 400, if not more – must be maintained at any given time to be successful.
While it is not known if a particular exploit is used to compromise these domains in the first place, the researchers say that CMSs that run the backend of websites may have been hijacked via malware, stolen credentials, or brute force attacks.
Once the threat actors gain access, a few lines of code are inserted into the website’s content. Checks are made to determine if the victim is of interest as a target – based on their IP and location, for example – and requests that come from Google search are the most accepted.
Websites compromised by Gootloader are manipulated in order to answer certain search queries. Counterfeit message boards are a constant topic on hacked websites monitored by Sophos, where “subtle” changes are made to “rewrite how the website’s content is presented to certain visitors”.
“If the right conditions are met (and the visitor’s IP address has not yet been visited on the website), the malicious code executed on the server redraws the page to give the visitor the impression that he or she has stumbled into a message board Blog comment section that discusses the exact same topic, “says Sophos.
If the attacker’s criteria are not met, the browser displays a seemingly normal web page, which eventually dissolves into junk text.
A fake forum post is then displayed that contains an obvious answer to the request as well as a direct download link. In one example discussed by the team, the website of a legitimate neonatal clinic was compromised in order to get answers to questions related to real estate.
Victims who click the direct download links will receive a ZIP archive file named with respect to the search term that includes a JS file.
The .js file is executed, executed in memory, and the obfuscated code is then decrypted to reveal other payloads.
According to Sophos, the technology is used to spread the Gootkit banking Trojan, Kronos, Cobalt Strike and REvil ransomware in South Korea, Germany, France and the USA, among others.
“There are several places where end users can avoid the infection by recognizing the signs,” say the researchers. “The problem is, even trained people can easily be fooled by the chain of social engineering tricks the developers at Gootloader use. Script blockers like NoScript for Firefox could help a cautious web surfer stay safe by preventing them that the hacked website will be replaced initially, but not everyone uses these tools. ”
Previous and related coverage
Do you have a tip? Take over WhatsApp | secure contact on signal at +447 713 025 499 or higher at Keybase: charlie0