In an unusually specific campaign, users looking for information about the legality of Bengal cats in Australia are being targeted GootLoader malware.
“In this case, we found that GootLoader actors are using search results to obtain information about a specific cat and a specific geography used to deliver the payload: ‘Are Bengal cats legal in Australia?'” Sophos researchers Trang Tang, Hikaru Koike, Asha Castle and Sean Gallagher said in a report released last week.
GootLoaderas the name suggests, is a malware downloader that is usually distributed using search engine optimization (SEO) poisoning tactics to gain initial access.
Specifically, the malware is deployed on victim machines when searches for specific terms such as legal documents and agreements in search engines such as Google reveal mined links that point to compromised websites that host a ZIP archive containing JavaScript payload.
Once installed, it makes room for second-tier malware, often a trojan for stealing information and remote access GootKitalthough the past has also seen other families such as Cobalt Strike, IcedID, Kronos, REvil and SystemBC shipped for post-exploitation.
The latest chain of attacks is no different in that a search for “do you need a license to own a bengal cat in Australia” returns results that include a link to a legitimate but infected website owned by a Belgian LED display manufacturer where victims are invited to download ZIP archive.
The ZIP archive contains a JavaScript file that is then responsible for launching a multi-stage attack chain that culminates in the execution of a PowerShell script capable of gathering system information and receiving additional payloads. It should be noted that there was an identical company documented by Cybereason earlier this July.
Sophos said it did not observe the deployment of GootKit in the case it analyzed, thereby preventing the download of additional malware.
“GootLoader is one of a number of ongoing malware-as-a-service delivery operations that heavily leverage search results as a means to reach victims,” the researchers said. “Using search engine optimization and abusing search ads to lure targets into downloading malware downloaders and droppers is nothing new — GootLoader has been doing it since at least 2020.”
Update
Google’s Mandiant Managed Defense team, which tracks GootLoader called SLOWPOUR, said it has also discovered a similar campaign using searches for “California lounge law requirements” to deliver malware.
“Victims search for business-related documents, such as legal requirements, agreements, or contracts, and are directed to a compromised site with information purportedly related to their search,” it said. said in a technical report published late last month.
“Both the archive and the JavaScript file have names that closely resemble the victim’s search query. This naming scheme helps trick a user into finding and running malware.”
However, there are signs that attack chains have changed their initial access tactics in early November 2024. A security researcher who goes by the online pseudonym GootLoaderrevealed that the threat actors behind the operation have moved from SEO poisoning tactics to fake PDF converters pushed with malicious ad campaigns.
“This shift from SEO poisoning and legal terms—obviously aimed at corporations—may now be aimed at ordinary users, including those who want to convert PDF files to DOCX,” the researcher said. noted in a brief published last week.
(The story was updated after publication to include new information about GootLoader’s campaigns.)