Attackers use Black Hat SEO to push ransomware, Trojans
According to report, cybercriminals use black hat SEO techniques to spread malware like Trojan, ransomware or other malware via the ‘GootLoader’ – involved into complex and stealthy framework, and now this mechanism has been distributing such infections across the multiple regions from hundred of hacked servers that are active at all times.
Cybercriminals uses malware campaign replaying on GootLoader’s mechanism and push a wider variety of Trojan, ransomware or other malware via hacked WordPress website, and malicious SEO techniques for Google Results.
Threat actors regrouped by forming a vast network of hacked WordPress websites and using SEO poisoning or Black Hat SEO to show in Google Forum posts fake forum with malicious links. The fake message boards appear only to site’s visitors from specific geographices and present them a ‘Discussion’ that contains the answer to their quivery in the post from ‘website administrator’.
According to cyber security company ‘Sophos’, ‘GootLoader’s controls about 400 servers active at any time that host hacked and legitimate websites. Also, cybercriminals behind this technique modified the CMS (Content Management System) of hacked websites to show the fake messages boards to visitors from specific locations.
Some hacked websites associated with Gootloader framework delivers fake forum posts to provide an answer for a very specific search query related to real estate transactions. These fake forum posts contain malicious hyperlinks to redirect users to hacked domain and tricks users into installing Gootloader payloads including Gootkit and REvil Ransomware.
As mentioned, GootLoader mechanism is used by attackers to spread malware or viruses via hacked WordPress websites and using malicious SEO technique or Black Hat SEO techniques for Google results. GootLoader has also be observed to spread ‘Kronas Trojan’ and Cobalt Strike threat emulation toolkit.
Gootloader malware campaign delivers malware payloads into System memory
Gootloader samples use the registry to store ‘Two Payloads’
The first payloads is a small ‘C#’ executable which is responsible with extracting a second executable from data stored in Windows System registry. The second executable as final payloads is an intermediary dotNET injector that deploys a Delphi-based malware using the process ‘Hollowing technique’.
Cyber security researcher ‘Sophos’ also explained that the legitimate applications including ‘ImagingDevices.exe’ – System components associated with Windows OS, and ‘Embarcadero External Translation Manager’ are used by attackers behind Gootloader malware campaign for this process.
This Delphi Malware includes encrypted copy of REvil, Gootkit, Cobalt Strike or Kronos, and is the last link in the infection chain. Researchers also explained cybercriminals use multiple variations of delivery methods including additional PowerShell scripts, Cobalt Strike modules, or code-injector executables in this malware campaign.
Way to prevent from this type of malware campaign
Researchers explained that one solution to prevent the replacement of hacked page is to use script blockers which could help you to prevent System from such malicious scripts or payloads. Also, stop clicking any suspicious links/buttons offered by malison or hacked websites/forums. That’s all. For any suggestions or queries, please write on comment box below.