How Gootkit trojan distributes ransomware via Google SERPs

Unwitting developers who look for script help on forums may become victims of the Gootkit virus and ransomware assaults.

In today’s marketing technologies, it’s standard practice to include scripts in your HTML to inject even more script. Tag Manager by Google is a wonderful example. However, many marketers and website managers are unaware that scripts can have a negative impact on page performance in exchange for ads and tracking. When (bad) hackers inject script into HTML without our permission. They can now take advantage of our search engine ranking potential for nefarious purposes.

This is made possible in part because of the Evergreen Googlebot and JavaScript. Attackers find and exploit weaknesses in high-ranking websites in order to compromise them and utilize a NodeJS malware framework called Gootkit (a play on the word “rootkit”) to create fake pages under otherwise completely trustworthy domain names.

Gootkit framework’s SEO template

The following is how it works: Googlebot, regular users, and notably. Google search users are all detected by the generated code. Hackers develop a forum post thread template with a malware download link that is tailored to show up in Google SERPs as the best resource response for potential victims. Google search queries, based on their sophisticated knowledge of potential victims’ Google search queries.

For example, a Windows network employee searches Google for a resource to download a legitimate-looking zip package. This user is unaware that the download contains scrambled JavaScript with a multi-step decoding process. That is successfully evaded detection and reassembles and runs programs. The download will install the Gootkit trojan and communicate with the attacker’s machine if it is opened. Hosting the framework’s server-side components. The system of the infected search user is now set up to run the trojan every time the computer is restarted.

Fileless attack?

Everything on the infected PC uses system memory instead of the filesystem once it has been launched. Because of the uniqueness of this form of assault. Which employs the capabilities of JavaScript in a sophisticated “fileless” manner to act as a detection evasion strategy, malware analysis firm Sophos judged it worthy of being distinguished from other common trojan loading methods by name. Gootloader.

As if that weren’t bad enough, Gootkit was historically used to send financial malware Kronos over email. With the release of the most recent “upgrade” to the framework. Gootkit has enabled criminals to leverage Google for distribution and gain access to a payload architecture that includes processing (and perhaps administering) ransomware extortion schemes.

When combined with the exfiltration of information, ransomware is a powerful tool for blackmailing organizations and institutions into paying up. This attack is extremely tough to defend against and detect with anti-malware software. In a rush, it may even mislead seasoned IT specialists. Ordinary Google search users in the working have little chance.

It obfuscates its own decoding keys and variable names by adding system Registry Key/Value pairs. which could lead to a means to decode it. In a successful attack on a compromised website. The false thread’s topic will most likely differ from the rest of the site’s content. Google may be able to locate infected sites and inform site owners by using content analysis and, in particular, telltale indicators from HTML template malware output.

What about other search engines?

At this moment, it does not appear that criminals using the Gootkit malware framework have poisoned SERPs using other search engines. Theoretically, nothing stands in the way of them doing just that. If the Gootkit framework author(s) solely concerned about filtering for Googlebot’s user-agent, they might be to blame. The criminal end-skill user’s set does not usually include source modification.

Why we care

I’ve personally witnessed this type of attack with SEO clients, and it’s just going to get worse and more common. Gootkit was founded in 2014, and in our SMX Workshop: SEO for Developers, we discussed a case from that time. Given the time since the incident and the possibility of future workshops with more in-depth security subjects. Future workshops with more in-depth security topics may reveal new details. Because we’re experts in the field of information security. It serves as a warning as well as a lesson to developers.

If this happens on any of the sites you’re working on, you’ll have to go back to the beginning to fix it. In this example, PHP’s eval() function was used to maliciously publish a false sports memorabilia e-commerce website under the domain name of a prominent Chicago pizza chain restaurant. The campaign aimed to capitalize on the popular domain name’s high ranking potential as well as the topical relevance of pizza and sports. As their interactive agency, we were able to study log data. Which led to the discovery and removal of the malware entry point, as well as the installation of measures to try to prevent this from happening again.

The post How Gootkit trojan distributes ransomware via Google SERPs appeared first on Soft Trending.



from Soft Trending https://ift.tt/3jjGXkx
via softtrending

Comments

Post a Comment

Popular posts from this blog

Lawyer SEO

Image
The basic fundamentals of SEO for lawyers are outlined in this guide, along with practical tips and examples. That can be easily applied to your website so that you start appearing in search engine results. You’ll learn what SEO is, how to apply it tactically, and what to look for if you’re considering recruiting an external vendor who specializes in law firm SEO. In the digital world of today, so many people are now going online to find information and compare their options. If it’s difficult for people to find you online. You’re most likely losing out on a significant amount of potential clients. But first, this guide focuses on SEO for lawyers who are just at the beginning stages of developing an online lead generation strategy. So let’s start with definitions, so you can go ahead and work on attracting potential clients. so that you can focus on winning new clients. What is Lawyer SEO? The art of improving your law firm’s search engine optimization or online ranking while drivi
Read more

When Google Search results are new and possibly unreliable, a notification appears

Image
When Google detects that its search results aren’t of the highest quality, it issues a warning. Google is experimenting with a new search function. That alerts users when the results for their query are fresh and hence potentially untrustworthy. The... The post When Google Search results are new and possibly unreliable, a notification appears appeared first on Soft Trending. http://dlvr.it/S2cVjM
Read more

Zero-click Google searches grew to roughly 65 percent

Image
Efforts to restrict Google haven’t had much of an impact. Furthermore, while the epidemic may have increased total search volume. Zero-click searches may increase even more as individuals become more mobile. According to a SimilarWeb analysis provided by Rand Fishkin, founder of SparkToro, approximately 65 percent of Google searches concluded without a click to another web page between January and December 2020. Up from 50 percent in June 2019. 46.5 percent of searches on the desktop were zero-click, compared to 77.2 percent on mobile. Methodology caveats. This most recent result and the 50% figure from 2019 were not derived from the same data source and used different search algorithms. SimilarWeb’s new data incorporates both mobile and desktop devices. Including iOS devices, and covers a pool of 5.1 trillion global Google searches. Only one billion web browser searches from domestic desktop and Android devices were included in the data Fishkin utilized in 2019. Which came from
Read more