Cybercriminals uses GootLoader’s Technique to Deliver Ransomware

Attackers use Black Hat SEO to push ransomware, Trojans

According to report, cybercriminals use black hat SEO techniques to spread malware like Trojan, ransomware or other malware via the ‘GootLoader’ – involved into complex and stealthy framework, and now this mechanism has been distributing such infections across the multiple regions from hundred of hacked servers that are active at all times.

Cybercriminals uses malware campaign replaying on GootLoader’s mechanism and push a wider variety of Trojan, ransomware or other malware via hacked WordPress website, and malicious SEO techniques for Google Results.

Threat actors regrouped by forming a vast network of hacked WordPress websites and using SEO poisoning or Black Hat SEO to show in Google Forum posts fake forum with malicious links. The fake message boards appear only to site’s visitors from specific geographices and present them a ‘Discussion’  that contains the answer to their quivery in the post from ‘website administrator’.

According to cyber security company ‘Sophos’, ‘GootLoader’s controls about 400 servers active at any time that host hacked and legitimate websites. Also, cybercriminals behind this technique modified the CMS (Content Management System) of hacked websites to show the fake messages boards to visitors from specific locations.

Some hacked websites associated with Gootloader framework delivers fake forum posts to provide an answer for a very specific search query related to real estate transactions. These fake forum posts contain malicious hyperlinks to redirect users to hacked domain and tricks users into installing Gootloader payloads including Gootkit and REvil Ransomware.

As mentioned, GootLoader mechanism is used by attackers to spread malware or viruses via hacked WordPress websites and using malicious SEO technique or Black Hat SEO techniques for Google results. GootLoader  has also be observed to spread ‘Kronas Trojan’ and Cobalt Strike threat emulation toolkit.

According to cyber security researcher ‘Sophos’, this malware campaign target the visitors from US, Germany and South Korea as well as France. Clicking link associated with fake forum/sites posts redirect visitors to ZIP archive of JavaScript file that initiates the infection. This way, the malware delivered using GootLoader techniques is deployed in the System memory so that traditional security software can’t detect it. Such fake forum posts might look legitimate or normal at the beginning but turns into an unintelligible ramble towards the end.

Gootloader malware campaign delivers malware payloads into System memory

 As mentioned, Gootloader’s initial payloads ‘JavaScript’ file initiates the infection and avoid the detection this infection by traditional antivirus solutions. These payloads include two layers of encryption to strings and data blobs that relate the next stage of attack. The second stage of this payload when finished, Gootloader C2 (Command and Control) server delivers a string of numeric values with ASCII characters into System memory. Note that the same method was observed by ‘Malwarebytes’ when the security researchers analyzed the delivery of ‘REvil Ransomware’ to German targets using Gootkit’s delivery framework.

Gootloader’s JavaScript file acts as initial payloads and next step of this malware campaign is an autorun entry created for ‘Powershell’ script so that it loads at each System reboot. The purpose of this payload is to decode the content written earlier in System registry keys. However, it triggers final payloads into System memory which can be Gootkit, REvil, Kronas or Cobalt Strike.

Gootloader samples use the registry to store ‘Two Payloads’

The first payloads is a small ‘C#’ executable which is responsible with extracting a second executable from data stored in Windows System registry. The second executable as final payloads is an intermediary dotNET injector that deploys a Delphi-based malware using the process ‘Hollowing technique’.

Cyber security researcher ‘Sophos’ also explained that the legitimate applications including ‘ImagingDevices.exe’ – System components associated with Windows OS, and ‘Embarcadero External Translation Manager’ are used by attackers behind Gootloader malware campaign for this process.

This Delphi Malware includes encrypted copy of REvil, Gootkit, Cobalt Strike or Kronos, and is the last link in the infection chain. Researchers also explained cybercriminals use multiple variations of delivery methods including additional PowerShell scripts, Cobalt Strike modules, or code-injector executables in this malware campaign.

Way to prevent from this type of malware campaign

Researchers explained that one solution to prevent the replacement of hacked page is to use script blockers which could help you to prevent System from such malicious scripts or payloads. Also, stop clicking any suspicious links/buttons offered by malison or hacked websites/forums. That’s all. For any suggestions or queries, please write on comment box below.