Hackers Poison SEO Results To Deploy Gootloader Malware

Hackers poison the SEO results to manipulate search engine rankings by misdirecting users to malicious sites. 

They aim to take advantage of the vulnerabilities, inject malicious codes or links into legitimate websites, and have more eyes on their deceitful content.

Recently, the DFIR report services cybersecurity researchers discovered that hackers are actively poisoning the SEO results to deploy the Gootloader malware and real RDP access.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Hackers Poison SEO Results

In February 2023, someone searched for an “Implied Employment Agreement” due to a poisoned SEO result that Gootloader had set up. 

In the fake forum for downloading, the user landed into a trap by clicking on the link. Immediately upon opening it, a program named Gootloader came up, bringing files that ensured its presence.

The next move was to execute PowerShell scripts and connect with remote endpoints.

However, Windows Defender blocked lateral movement in subsequent attempts. Though there were traps, the attacker carried on his mission and utilized SystemBC to compromise a domain controller. 

Afterward, by using the RDP method, they gained access to backups and sensitive information until an attempt was made to remove them.

The user went to a website contaminated by SEO, leading to a suspicious forum link about the “Implied Employment Agreement” download. 

The harmless-appearing document was, in fact, a GootLoader loader inside a zip archive. It executed a JavaScript chain that created scheduled tasks and ran obfuscated scripts. 

While the PowerShell script facilitated the infection through:-

• Svchost.exe
• Wscript.exe
• Cscript.exe
• Powershell.exe

Some servers came back with an HTTP 405 response code; however, one of them was a weaponized server called 46.28.105[.]94 that triggered Gootloader via a URL. 

The final download contained various versions of Gootloader stage 1 (obfuscated dll), stage 2 (exe file), and a script written both into the registry. 

Stage 1 deobfuscated stage 2, which loaded the Cobalt Strike Beacon. Evidently, Cobalt Strike’s ‘getsystem’ command was used to spawn cmd from DLLHOST for elevation purposes. 

The logon sessions were initiated using harvested credentials via ‘Logon type 9’ and ‘seclogo’ authentication methods. Restricted Admin Mode was turned on so that the hash login could be done. 

Through making changes to the registry, the RDP connections could be allowed.

Besides this, the distribution of Cobalt Strike beacons in remote service creation is done through various payloads.

WordPad was used to access other sensitive files in addition to the password-related documents included in the credential access. Apart from this, contracts and other legal-related files and folders were among the interesting files.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.