In an unusually particular marketing campaign, customers looking concerning the legality of Bengal Cats in Australia are being focused with the GootLoader malware.
“In this case, we found the GootLoader actors using search results for information about a particular cat and a particular geography being used to deliver the payload: ‘Are Bengal Cats legal in Australia?,'” Sophos researchers Trang Tang, Hikaru Koike, Asha Fortress, and Sean Gallagher mentioned in a report revealed final week.
GootLoader, because the identify implies, is a malware loader that is usually distributed utilizing SEO (website positioning) poisoning ways for preliminary entry.
Particularly, the malware is deployed onto sufferer machines when trying to find sure phrases like authorized paperwork and agreements on search engines like google and yahoo like Google floor booby-trapped hyperlinks pointing to compromised web sites that host a ZIP archive containing a JavaScript payload.
As soon as put in, it makes approach for a second-stage malware, typically an data stealer and distant entry trojan dubbed GootKit, though it has additionally been noticed delivering different households akin to Cobalt Strike, IcedID, Kronos, REvil, and SystemBC up to now for post-exploitation.
The most recent assault chain isn’t any totally different in that searches for “Do you need a license to own a Bengal cat in Australia” floor outcomes that embrace a hyperlink to a legitimate-but-infected web site belonging to a Belgium-based LED show maker, from the place victims are prompted to obtain a ZIP archive.
Current throughout the ZIP archive is a JavaScript file that is then liable for kicking off a multi-stage assault chain that culminates within the execution of a PowerShell script able to harvesting system data and fetching further payloads. It is value noting that an equivalent marketing campaign was documented by Cybereason earlier this July.
Sophos mentioned it didn’t observe the deployment of GootKit within the case the corporate analyzed, thereby stopping the obtain of further malware.
“GootLoader is one of a number of continuing malware-delivery-as-a-service operations that heavily leverage search results as a means to reach victims,” the researchers mentioned. “The use of search engine optimization, and abuse of search engine advertising to lure targets to download malware loaders and dropper, are not new—GootLoader has been doing this since at least 2020.”
