Novel attack techniques are being used by cybercriminals in which they are using Google SEO to deploy malware payloads. While taking advantage of human psychology, SEO tricks are also used to improve the compromised websites’ ranking in Google search results.
The Discovery
- Researchers have observed Gootloader using a new SEO technique which is an advanced infection framework for the Gootkit RAT that further delivers other malware payloads.
- Malware such as Kronos, Cobalt Strike, and REvil ransomware are being propagated with the use of this technique.
- Countries like South Korea, Germany, France, and the U.S. were targeted by these attacks
The Technicalities
- A vast network of hacked WordPress sites was formed by the attackers. SEO poisoning was being used by them to display fake forum posts, along with malicious links on Google forums.
- Additionally, changes were made to the CMS of the compromised websites to show the fake message boards to visitors from specific locations.
- According to the researcher’s estimation, Gootloader operators control a network of around 400 servers.
The Delivery Mechanism
- No conclusion was found on which exploit was being used to compromise these domains as the CMS could be hijacked by malware, stolen credentials, or brute-force attacks.
- Two legitimate applications were using in the campaign – the ImagingDevices.exe (available in Windows) and the Embarcadero External Translation Manager.
Sophisticated chains of social engineering, along with technical skills are being used by cybercriminals that can fool anyone. Hence, it is important for end-users to detect such fraud by staying alert while using the internet. Additionally, our internal experts recommended using third-party tools that can alert users about such malicious websites.
To read more, please check eScan Blog
