Security researchers have discovered a new delivery mechanism for malware that climbs to the top of all search results after bypassing Google’s famous SEO (Search Engine Optimization) algorithm.
Although the Gootkit malware itself has been around for several years and has been analyzed by cyber security firm Sophos in the past, it is its new delivery mechanism that has earned it the nickname Gootloader and is the subject of their recent analysis.
“Gootloader uses malicious search engine optimization (SEO) techniques to worm its way into Google search results. The way it accomplishes this task deserves some discussion, as it is as much about technology as it is about human psychology,” shares Sophos.
The researchers share that as per their analysis, many of the hacked websites were running well-known content management systems (CMS), without naming them. The threat actors have tweaked the backend that fetches and runs a script to make the websites present a slightly modified version of the original information based on the victim’s search query.
The researchers note that this new mechanism is being used to not just spread Gootkit, but several other trojans and ransomware such as Kronos, REvil, Cobalt Strike, and more.
Sophos claims that it is the layers of tricks that makes this delivery mechanism so effective. “At several points, it’s possible for end users to avoid the infection, if they recognize the signs. The problem is that even trained people can easily be fooled by the chain of social engineering tricks Gootloader’s creators use,” believe the researchers.
This strange malware tricks Google into improving your website’s SEO – and then attacks