Rise in attackers manipulating seo to deliver gootkit
Published By
Nathan Amos
March 2, 2023
5 min read.

This article will offer some insight into an increasing threat ParaFlare has observed recently where GOOTKIT/GOOTLOADER is being distributed via Search Engine Optimisation (SEO) poisoning, or search poisoning.

GOOTKIT is a sophisticated banking malware designed in 2014 with the primary goal of stealing login credentials and financial data. It has been continually evolving in attempts to remain undetected on the victim’s system through techniques that allow attackers to record keystrokes from users, modify web pages displayed in the browser, and control the infected machine remotely. The malware remains active even after the system is rebooted.

While GOOTKIT is like a lot of other malware, its distribution has gained some notoriety through SEO poisoning. This technique involves criminals manipulating search engine result pages to redirect users to a compromised website. In this case the aim of the compromised website is to allow the unsuspecting users to download a malicious ZIP file containing the malicious JavaScript. Examples of these have been seen in Brisbane in the medical/health sector when users have been utilising search terms including the word “agreement” in addition to “hospital” and “nursing”. ParaFlare has also seen examples of searching for rental applications as well as job related searches for declining jobs.

Generally all of the sites that are directing users to download the suspicious file are compromised WordPress sites. The attacker modifies a portion of the website code which in turn increases the search engine performance metrics to put them at the top of the search.

So, while this all sounds like doom and gloom there are some practical steps you and your staff can take to identify malicious sites and reduce the risk of downloading GOOTKIT or another piece of malware.

Does that URL look right?

First, talk to staff about how to detect fake websites, including checking URL details. SentinelOne has a great blog here about an ongoing poisoning campaign relating to Blender 3D – the popular open-source 3D graphics software. In this example, a simple Google search returned malicious Blender 3D ads which quickly shift, showing how attackers can automate threat activity at scale. A search for the legitimate website – blender.org – returned blender-s.org, blendersa.org, and blender3dorg.fras6899.odns.fr (to name just a few). The malicious sites are often near-perfect copies of the legitimate sites.

Why is my dentist talking about rental properties?

Attackers typically create malicious websites based on popular search terms or trending topics, and this can be aligned to holiday seasons – such as Christmas recipes and Halloween costumes – or social issues – such as employment services for people who are looking for work.

In some cases, the search results just don’t make sense. An example of this would be a Dental Surgery website returning results for a search about a rental agreement. Check the URL and the source providing the content before clicking on the link.

Hmm…. that’s a large file

Another great reminder for staff is that to be mindful when downloading files from the internet. Would they be expecting a ZIP or compressed file when they are really looking for a PDF or Word Doc?

While staff are the most important in preventing this type of attack a multi layered approach to cybersecurity which includes end point detections, firewalls, intrusion detection and prevention systems and vulnerability management with regular assessments will also assist.

As always, ParaFlare is here to help if you believe you’ve been compromised.





You Should also read

Active defence: the importance of cyber operations

Are we jumping at zero-day shadows?

XDR, SIEM AND SOAR convergence.

Behind the scenes of the ‘Hunting for hackers’ Webinar.