How Gootkit trojan distributes ransomware via Google SERPs

It’s a given in marketing technology nowadays to add scripts to your HTML that inject even more script. Google’s Tag Manager is a great example. But too often marketers and website managers don’t realize that scripts can wreak havoc on page performance in exchange for adding ads and tracking. When (bad) hackers inject script into HTML without our knowledge, they now can leverage our search engine ranking potential for criminal enterprise.

In part, this is made possible because of Evergreen Googlebot and JavaScript. Attackers locate and then target vulnerabilities in highly ranked websites in order to compromise them for use with a NodeJS malware framework called Gootkit, (a play on the word: ‘rootkit‘), to power artificial pages under otherwise totally authoritative domain names.

Gootkit framework’s SEO template

Here’s how it works: Generated code detects Googlebot, ordinary users, and especially Google search users. With an advanced idea of potential victim’s Google search queries, hackers create a forum post thread template with a malware download link that is designed to show up in Google SERPs as the perfect resource answer for those searches.

For example, an employee on a Windows network uses Google to find a resource to download a legit-looking zip archive. This user doesn’t know that the download contains scrambled JavaScript with a multi-step decoding routine that re-assembles and runs scripts after successfully evading detection. If opened, the download will install Gootkit’s trojan and communicate with the attacker’s machine, hosting the server-side portion of the framework. The infected search user’s system is prepared to run the trojan on the restart from then onward.

Fileless attack?

Once launched, everything on the infected computer operates using system memory without further use of the filesystem. The novelty of this type of attack, using the power of JavaScript in a sophisticated “fileless” way to serve as a detection evasion strategy, is the reason malware analysis company Sophos deemed it worthy enough to differentiate it from more ordinary trojan loading procedures by name: Gootloader.

And as if that weren’t nefarious enough, historically speaking, Gootkit was primarily used to distribute banking malware Kronos via email. Now, with the advent of the latest “improvement” to the framework, Gootkit armed criminals to be able to use Google for distribution and access a payload architecture extended to include handling (and possibly managing) ransomware extortion schemes.

Ransomeware is highly effective when coupled with the exfiltration of secrets to add blackmail pressure for companies and institutions to pay up. This attack is very difficult to guard against, or for anti-malware software to detect the presence of. It might even fool seasoned IT professionals in a hurry. Ordinary workforce Google search users hardly stand a chance.

It adds system Registry Key/Value pairs as part of obfuscating its own decoding keys and variable names, which can lead to a way to uncover it. More obviously, the topic of the fake thread in a successful attack on a compromised website will likely vary from the rest of the site’s content. Detecting that thread by content analysis and especially through telltale signs from HTML template malware output could be how Google can discover compromised sites and alert site owners.

What about other search engines?

At this time, it doesn’t appear that criminal users of the Gootkit malware framework have targeted other search engines to poison SERPs. Theoretically, there is nothing stopping them from doing exactly that. The Gootkit framework author(s) might be to blame if they only ever cared to filter for Googlebot’s user-agent. A source modification is not always in the skill set of the criminal end-user.

Why we care

I’ve actually seen this type of attack in action with SEO clients, and they are only going to get worse and become more frequent. Gootkit goes back to 2014, and we briefly discussed a case from back then in our SMX Workshop: SEO for Developers. Future workshops with more depth on security topics may divulge additional details given the distance in time from that particular incident and because information security is in our wheelhouse. It serves both as a warning and lesson for developers.

If it happens to any sites you’re working on, you’ll have to go to the root to solve it. In our case, it was PHP’s eval() that maliciously published a fake sports memorabilia e-commerce website under a popular Chicago pizza chain restaurant’s domain name. The attack attempted to piggyback on the ranking potential of the popular domain name and the topic relevancy between pizza and sports. In our capacity as their interactive agency, we were in a position to analyze log files which led to us uncover and remove the malware entry point and install safeguards to try and prevent from such things happening again.