• Search Engine Land
  • Sections
    • SEO
    • SEM
    • Local
    • Retail
    • Google
    • Bing
    • Social
    • Resources
    • More
    • Home
  • Search Engine Land
  • SEO
  • SEM
  • Local
  • Retail
  • Google
  • Bing
  • Social
  • Resources
  • Live
  • More
  • Events
  • SUBSCRIBE

Search Engine Land

Search Engine Land
  • SEO
  • SEM
  • Local
  • Retail
  • Google
  • Bing
  • Social
  • Resources
  • More
  • Newsletters
  • Home
SEO

How Gootkit trojan distributes ransomware via Google SERPs

Unknowing developers that search forums for script help can fall victim to Gootkit trojan and ransomware attacks

Detlef Johnson on March 3, 2021 at 1:56 pm
  • More

It’s a given in marketing technology nowadays to add scripts to your HTML that inject even more script. Google’s Tag Manager is a great example. But too often marketers and website managers don’t realize that scripts can wreak havoc on page performance in exchange for adding ads and tracking. When (bad) hackers inject script into HTML without our knowledge, they now can leverage our search engine ranking potential for criminal enterprise.

In part, this is made possible because of Evergreen Googlebot and JavaScript. Attackers locate and then target vulnerabilities in highly ranked websites in order to compromise them for use with a NodeJS malware framework called Gootkit, (a play on the word: ‘rootkit‘), to power artificial pages under otherwise totally authoritative domain names.

Gootkit framework’s SEO template

Here’s how it works: Generated code detects Googlebot, ordinary users, and especially Google search users. With an advanced idea of potential victim’s Google search queries, hackers create a forum post thread template with a malware download link that is designed to show up in Google SERPs as the perfect resource answer for those searches.

For example, an employee on a Windows network uses Google to find a resource to download a legit-looking zip archive. This user doesn’t know that the download contains scrambled JavaScript with a multi-step decoding routine that re-assembles and runs scripts after successfully evading detection. If opened, the download will install Gootkit’s trojan and communicate with the attacker’s machine, hosting the server-side portion of the framework. The infected search user’s system is prepared to run the trojan on the restart from then onward.

Fileless attack?

Once launched, everything on the infected computer operates using system memory without further use of the filesystem. The novelty of this type of attack, using the power of JavaScript in a sophisticated “fileless” way to serve as a detection evasion strategy, is the reason malware analysis company Sophos deemed it worthy enough to differentiate it from more ordinary trojan loading procedures by name: Gootloader.

And as if that weren’t nefarious enough, historically speaking, Gootkit was primarily used to distribute banking malware Kronos via email. Now, with the advent of the latest “improvement” to the framework, Gootkit armed criminals to be able to use Google for distribution and access a payload architecture extended to include handling (and possibly managing) ransomware extortion schemes.

Ransomeware is highly effective when coupled with the exfiltration of secrets to add blackmail pressure for companies and institutions to pay up. This attack is very difficult to guard against, or for anti-malware software to detect the presence of. It might even fool seasoned IT professionals in a hurry. Ordinary workforce Google search users hardly stand a chance.

It adds system Registry Key/Value pairs as part of obfuscating its own decoding keys and variable names, which can lead to a way to uncover it. More obviously, the topic of the fake thread in a successful attack on a compromised website will likely vary from the rest of the site’s content. Detecting that thread by content analysis and especially through telltale signs from HTML template malware output could be how Google can discover compromised sites and alert site owners.

What about other search engines?

At this time, it doesn’t appear that criminal users of the Gootkit malware framework have targeted other search engines to poison SERPs. Theoretically, there is nothing stopping them from doing exactly that. The Gootkit framework author(s) might be to blame if they only ever cared to filter for Googlebot’s user-agent. A source modification is not always in the skill set of the criminal end-user.

Why we care

I’ve actually seen this type of attack in action with SEO clients, and they are only going to get worse and become more frequent. Gootkit goes back to 2014, and we briefly discussed a case from back then in our SMX Workshop: SEO for Developers. Future workshops with more depth on security topics may divulge additional details given the distance in time from that particular incident and because information security is in our wheelhouse. It serves both as a warning and lesson for developers.

If it happens to any sites you’re working on, you’ll have to go to the root to solve it. In our case, it was PHP’s eval() that maliciously published a fake sports memorabilia e-commerce website under a popular Chicago pizza chain restaurant’s domain name. The attack attempted to piggyback on the ranking potential of the popular domain name and the topic relevancy between pizza and sports. In our capacity as their interactive agency, we were in a position to analyze log files which led to us uncover and remove the malware entry point and install safeguards to try and prevent from such things happening again.



About The Author

Detlef Johnson
Detlef Johnson is the SEO for Developers Expert for Search Engine Land and SMX. He is also a member of the programming team for SMX events and writes the SEO for Developers series on Search Engine Land. Detlef is one of the original group of pioneering webmasters who established the professional SEO field more than 20 years ago. Since then he has worked for major search engine technology providers, managed programming and marketing teams for Chicago Tribune, and consulted for numerous entities including Fortune 500 companies. Detlef now works for Internet Marketing Ninjas lending a strong understanding of Technical SEO and a passion for Web programming to company reports and special services.

Related Topics

Channel: SEOSEO for Developers

We're listening.

Have something to say about this article? Share it with us on Facebook, Twitter or our LinkedIn Group.

Get the daily newsletter search marketers rely on.

Processing...Please wait.

See terms.

ATTEND OUR EVENTS

Lorem ipsum doler this is promo text about SMX events.

April 13, 2021: SMX Create

May 18-19, 2021: SMX London

June 8-9, 2021: SMX Paris

June 15-16, 2021: SMX Advanced

June 21-22, 2021: SMX Advanced Europe

August 17, 2021: SMX Convert

November 9-10, 2021: SMX Next

December 14, 2021: SMX Code

Available On-Demand: SMX

Available On-Demand: SMX Report

×


Learn More About Our SMX Events

Discover actionable tactics that can help you overcome crucial marketing challenges. Our next conference will be held:

Next Event: Sept. 14-15, 2021

Available On-Demand: March 2021

Available On-Demand: October 2020

×

Attend MarTech - Click Here


Learn More About Our MarTech Events

White Papers

  • Gartner Magic Quadrant for Digital Experience Platforms
  • Selecting a Customer Data Platform For Your Organization: The 2020 Gartner Market Guide
  • The Complete Guide to Web Core Vitals
  • The New Era of Automation in SEO
  • Nielsen Annual Marketing Report: Era of Adaptation
See More Whitepapers

Webinars

  • Drive Customer Engagement with the Power of Personalization
  • 7 Use Cases That Prove Why You Should Implement DAM
  • Accelerate Your SEO & Content Marketing Program with 4 Key Milestones
See More Webinars

Research Reports

  • Local Marketing Solutions for Multi-Location Businesses
  • Enterprise Digital Asset Management Platforms
  • Identity Resolution Platforms
  • Customer Data Platforms
  • B2B Marketing Automation Platforms
  • Call Analytics Platforms
See More Research

Attend SMX For Only $149

h
Receive daily search news and analysis.

Channels

  • SEO
  • SEM
  • Local
  • Retail
  • Google
  • Bing
  • Social

Our Events

  • SMX
  • MarTech

Resources

  • White Papers
  • Research
  • Webinars

About

  • About Us
  • Contact
  • Privacy
  • Marketing Opportunities
  • Staff

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • Newsletters
  • RSS
  • Youtube

© 2021 Third Door Media, Inc. All rights reserved.

Your privacy means the world to us. We share your personal information only when you give us explicit permission to do so, and confirm we have your permission each time. Learn more by viewing our privacy policy.Ok