“Gootloader,” a malware version named by Sophos researchers, was recently seen to be using SEO (search engine optimization) to attract healthcare-related searches as victims to its download sites. The threat actors involved clone or copy a website’s content to a certain degree, add the Gootloader file into scripts that can be downloaded by unknowing visitors or make the file part of the page’s link that will download when clicked on, and puts it online using a URL that sometimes closely resembles that of the original site.
This malware is used as a downloader for other malware packages, allowing a threat actor to take control of a network or exfiltrate data. In some cases, the threat actor has quickly taken control, even in as little as four hours.
What Happened
Cybereason and others have been investigating Gootloader attacks against the healthcare and financial sectors since at least December of 2022, finding that some of those attacks were successful to the point that the threat actors could infiltrate and take control of sites and networks within as little as four hours.
What is SEO poisoning?
SEO poisoning is using words and phrases that attract Internet users because they are commonly used to describe a particular searchable topic or item. By using terms such as these when setting up a malware delivery system on a site, the threat actor can get victims to visit their sites and possibly download their infected files.
How does this work? Simple really. If you want a search engine to place your site at or near the top when someone searches for a topic, you use words that are likely to make a search engine place it in that position.
For instance: If you are putting up a blog site about funny pets, you might use tags, labels, and phrases that specifically target that type of search—words like funny, pets, cats, dogs, cute, lovable, etc. The grouping of the terms, if they are commonly searched for individually or together, will cause the algorithms that search engines use to place your website higher in the list of found locations.
Each of the words alone might score a certain number of searches in a period of time, but the group will likely create a higher score, putting your website closer to the top. The more words with high search numbers you can put into your page, the higher it goes.
To show you what we mean, let’s experiment.
A search for the word “cats” returns almost six billion results on Google, with a Wikipedia page about cats in general as the top result. Adding the word “funny” reduces that number to about 1.5 billion, and a YouTube link to funny cat videos is at the top. Further, adding “pictures” to the search reduces it to 86 million and offers you a plethora of cute kitty pictures.
As you can see, SEO can affect the number of results and the specificity of what you get within those results.
A threat actor would potentially use those words and others to reduce the number of links a search returned to help ensure victims were more likely to go to their pages.
What is Gootloader?
Gootloader is considered a downloader malware because it uses code to open a path to a command and control (C2) location online, then downloads other malware packages that allow a threat actor to continue to attack a network or system. When a victim clicks on a page link (URL) or some content within a malicious website, the Gootloader malware is downloaded to their system. Once on the system, the malware starts actively downloading other malware packages.
Depending on the type of malware packages downloaded, the threat actor can then access the data and network assets available to the system that has been infected, threatening them with corruption, loss of integrity, or loss of data.
How will this Affect You?
As an Internet user, you may search for various items of interest or information related to something you are working on. If you are prone to clicking around on several sites or locations to compare information (who isn’t?), then it is possible that you could become a victim of this malware or another.
Suppose you are in control of an organization’s systems or networks. In that case, the personnel that works within that network are going to make mistakes as it is the nature of humanity that we aren’t perfect, and we certainly are often tempted to “check it out.” Being proactive and training your personnel to look for potential threats before they click is a good idea.
What should you do
Starting with individuals, it is always good practice to ensure that when you search for something online, you only go to the results you are reasonably sure are safe to visit. Check the URL of the site to ensure it appears to be the correct one and not something incorrect or malformed.
An example might be if you want to go to Google to search for something, you check that you are actually going to “Google[.]com” and not another site. A malformed version of this URL might look like: Googley[.]com or Gogle[.]com. Either of those malformed versions could lead you into trouble.
As a network or system administrator, you can expand on the protections that you employ to protect Internet users by implementing cybersecurity awareness training, recent threat updates via newsletters or emails, and anti-malware applications like those available online and through purchases. Be aware that some anti-malware applications are better at their jobs than others, and you should definitely compare your options before selecting one.
An additional item to consider is hardware/software, such as firewalls, that block access to known bad locations and files (and sometimes even unknown) by using what is called block-listing or allow-listing policies (or both). These policies block access to websites and files that are potentially harmful by not allowing users to get to where they are in the first place, or by only allowing the user to access pre-approved locations.
Northstarr Recommendations
Treating Internet access carefully and being diligent about where users go online is an important part of cybersecurity for any organization or person. Making sure that users can access what they need to get to but are kept from accessing harmful content is a reasonable and expected part of how things should be done, so make it a policy to ensure that it is.
Northstarr System Solutions is a company that has decades of experience and knowledge that can be leveraged to help you protect your personnel and data from such threats as Gootloader, and we would be happy to discuss the options that would be best suited to your needs.
To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!
