GootLoader Campaign

In an unusually specific campaign, users searching about the legality of Bengal Cats in Australia are being targeted with the GootLoader malware.

"In this case, we found the GootLoader actors using search results for information about a particular cat and a particular geography being used to deliver the payload: 'Are Bengal Cats legal in Australia?,'" Sophos researchers Trang Tang, Hikaru Koike, Asha Castle, and Sean Gallagher said in a report published last week.

GootLoader, as the name implies, is a malware loader that's typically distributed using search engine optimization (SEO) poisoning tactics for initial access.

Cybersecurity

Specifically, the malware is deployed onto victim machines when searching for certain terms like legal documents and agreements on search engines like Google surface booby-trapped links pointing to compromised websites that host a ZIP archive containing a JavaScript payload.

Once installed, it makes way for a second-stage malware, often an information stealer and remote access trojan dubbed GootKit, although it has also been observed delivering other families such as Cobalt Strike, IcedID, Kronos, REvil, and SystemBC in the past for post-exploitation.

GootLoader Campaign

The latest attack chain is no different in that searches for "Do you need a license to own a Bengal cat in Australia" surface results that include a link to a legitimate-but-infected website belonging to a Belgium-based LED display maker, from where victims are prompted to download a ZIP archive.

Present within the ZIP archive is a JavaScript file that's then responsible for kicking off a multi-stage attack chain that culminates in the execution of a PowerShell script capable of harvesting system information and fetching additional payloads. It's worth noting that an identical campaign was documented by Cybereason earlier this July.

Cybersecurity

Sophos said it did not observe the deployment of GootKit in the case the company analyzed, thereby preventing the download of additional malware.

"GootLoader is one of a number of continuing malware-delivery-as-a-service operations that heavily leverage search results as a means to reach victims," the researchers said. "The use of search engine optimization, and abuse of search engine advertising to lure targets to download malware loaders and dropper, are not new—GootLoader has been doing this since at least 2020."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.