How Gootkit trojan distributes ransomware via Google SERPs

Unwitting developers who look for script help on forums may become victims of the Gootkit virus and ransomware assaults.

In today’s marketing technologies, it’s standard practice to include scripts in your HTML to inject even more script. Tag Manager by Google is a wonderful example. However, many marketers and website managers are unaware that scripts can have a negative impact on page performance in exchange for ads and tracking. When (bad) hackers inject script into HTML without our permission. They can now take advantage of our search engine ranking potential for nefarious purposes.

This is made possible in part because of the Evergreen Googlebot and JavaScript. Attackers find and exploit weaknesses in high-ranking websites in order to compromise them and utilize a NodeJS malware framework called Gootkit (a play on the word “rootkit”) to create fake pages under otherwise completely trustworthy domain names.

Gootkit framework’s SEO template

The following is how it works: Googlebot, regular users, and notably. Google search users are all detected by the generated code. Hackers develop a forum post thread template with a malware download link that is tailored to show up in Google SERPs as the best resource response for potential victims. Google search queries, based on their sophisticated knowledge of potential victims’ Google search queries.

For example, a Windows network employee searches Google for a resource to download a legitimate-looking zip package. This user is unaware that the download contains scrambled JavaScript with a multi-step decoding process. That is successfully evaded detection and reassembles and runs programs. The download will install the Gootkit trojan and communicate with the attacker’s machine if it is opened. Hosting the framework’s server-side components. The system of the infected search user is now set up to run the trojan every time the computer is restarted.

Fileless attack?

Everything on the infected PC uses system memory instead of the filesystem once it has been launched. Because of the uniqueness of this form of assault. Which employs the capabilities of JavaScript in a sophisticated “fileless” manner to act as a detection evasion strategy, malware analysis firm Sophos judged it worthy of being distinguished from other common trojan loading methods by name. Gootloader.

As if that weren’t bad enough, Gootkit was historically used to send financial malware Kronos over email. With the release of the most recent “upgrade” to the framework. Gootkit has enabled criminals to leverage Google for distribution and gain access to a payload architecture that includes processing (and perhaps administering) ransomware extortion schemes.

When combined with the exfiltration of information, ransomware is a powerful tool for blackmailing organizations and institutions into paying up. This attack is extremely tough to defend against and detect with anti-malware software. In a rush, it may even mislead seasoned IT specialists. Ordinary Google search users in the working have little chance.

It obfuscates its own decoding keys and variable names by adding system Registry Key/Value pairs. which could lead to a means to decode it. In a successful attack on a compromised website. The false thread’s topic will most likely differ from the rest of the site’s content. Google may be able to locate infected sites and inform site owners by using content analysis and, in particular, telltale indicators from HTML template malware output.

What about other search engines?

At this moment, it does not appear that criminals using the Gootkit malware framework have poisoned SERPs using other search engines. Theoretically, nothing stands in the way of them doing just that. If the Gootkit framework author(s) solely concerned about filtering for Googlebot’s user-agent, they might be to blame. The criminal end-skill user’s set does not usually include source modification.

Why we care

I’ve personally witnessed this type of attack with SEO clients, and it’s just going to get worse and more common. Gootkit was founded in 2014, and in our SMX Workshop: SEO for Developers, we discussed a case from that time. Given the time since the incident and the possibility of future workshops with more in-depth security subjects. Future workshops with more in-depth security topics may reveal new details. Because we’re experts in the field of information security. It serves as a warning as well as a lesson to developers.

If this happens on any of the sites you’re working on, you’ll have to go back to the beginning to fix it. In this example, PHP’s eval() function was used to maliciously publish a false sports memorabilia e-commerce website under the domain name of a prominent Chicago pizza chain restaurant. The campaign aimed to capitalize on the popular domain name’s high ranking potential as well as the topical relevance of pizza and sports. As their interactive agency, we were able to study log data. Which led to the discovery and removal of the malware entry point, as well as the installation of measures to try to prevent this from happening again.

The post How Gootkit trojan distributes ransomware via Google SERPs appeared first on Soft Trending.



from Soft Trending https://ift.tt/3jjGXkx
via softtrending

Comments

Popular posts from this blog

Google July 2021 core update rolling out now

NVIDIA