Fresh from a series of serious reports detailing its five-year battle with Chinese cyberattackers, Sophos has dropped a curious story about users of a popular infostealer-cum-RAT targeting a niche group of victims.

Around since 2014, Gootloader has been one of the most popular malware strains of its kind. It’s used as an infostealer or at times a malware dropper acting as a precursor to other attacks like ransomware. 

Financially motivated attackers typically cast their net far and wide or target specific, high-value organizations and/or individuals such as banks and crypto investors. It’s what makes the security shop’s finding that criminals, armed with Gootloader, were seemingly targeting Australian enthusiasts of Bengal cats all the more baffling.

You see, Gootloaderers are known for using SEO poisoning tactics to deploy their wares on unsuspecting victims. Sophos began a “broad threat hunting” investigation into the malware after a new variant popped up in March, finding signs that these tactics were being used to target individuals who searched: “Are Bengal cats legal in Australia?” and similar queries.

In one example, the researchers showed how the first website returned following a search engine query – an SEO-poisoned forum – containing posts with hyperlinked text. When clicked, this immediately led to the download of a suspicious ZIP file, which executed the first stage of the malware’s payload. 

The user’s browser was also redirected to a different website which dropped a large JavaScript file and researchers noted many processes being spun up on the victim’s machine.

Among these processes, there appeared to be signs of the crooks establishing persistence and passing commands to PowerShell to deploy Gootkit, the third stage of the malware that leads to tools like Cobalt Strike and ransomware being dropped.

“Gootloader is one of a number of continuing malware-delivery-as-a-service operations that heavily leverage search results as a means to reach victims,” the researchers said in their blog, which also features more technical analysis and IOCs. 

“The use of search engine optimization, and abuse of search engine advertising to lure targets to download malware loaders and droppers, are not new – Gootloader has been doing this since at least 2020, and we’ve observed Raccoon Stealer and other malware-as-a-service operations doing the same for just as long. 

“But we’ve seen continued growth in this approach to initial compromise, with several massive campaigns using this technique over the past year.”

SEO poisoning and malvertising go hand-in-hand, but the latter has received special attention recently from researchers to national security agencies.

NCC Group said earlier this year that the tactic is ever-popular in the cybercrime ecosystem, benefitting initial access brokers (IABs) and ransomware crooks alike. 

Malvertising often involves promoted websites serving trojanized versions of legitimate apps. These typically have infostealer capabilities and the credentials they harvest are then sent back to and sold by IABs whose clientele heavily consists of ransomware affiliates. 

Researchers spoke last year of how ALPHV/BlackCat, the now-fallen but once-grand figurehead of the ransomware scene, was using malvertising tactics as part of affiliates’ initial access routine, for example.

And as recently as today, national cybersecurity agencies like the UK’s NCSC are still working with advertisers to help quell the scourge of malvertising, given its close relationship with ransomware.

Naturally, Google has caught some flak for “allowing” this activity to thrive in its search engine results, but consistently defends its case, highlighting how it’s not allowed and when reported, sites are often delisted from search results. ®