Search Engine Land
  • SEO
    • > All SEO
    • > What Is SEO?
    • > SEO Periodic Table
    • > Google: SEO
    • > Bing SEO
    • > Google Algorithm Updates
  • PPC
    • > All PPC
    • > What is PPC?
    • > Google Ads
    • > Microsoft Ads
    • > The Periodic Tables of PPC
  • Focuses
    • > Local
    • > Commerce
    • > Shopify SEO Guide
    • > Content
    • > Email Marketing Periodic Table
    • > Social Media Marketing
    • > Analytics
    • > Search Engine Land Awards
    • > All Focuses
  • SMX
  • Webinars
  • Intelligence Reports
  • White Papers
  • About
    • > About Search Engine Land
    • > Newsletter
    • > Third Door Media
    • > Advertise

Processing...Please wait.

Search Engine Land » Channel » SEO » How Gootkit trojan distributes ransomware via Google SERPs

How Gootkit trojan distributes ransomware via Google SERPs

Unknowing developers that search forums for script help can fall victim to Gootkit trojan and ransomware attacks

Detlef Johnson on March 3, 2021 at 1:56 pm

It’s a given in marketing technology nowadays to add scripts to your HTML that inject even more script. Google’s Tag Manager is a great example. But too often marketers and website managers don’t realize that scripts can wreak havoc on page performance in exchange for adding ads and tracking. When (bad) hackers inject script into HTML without our knowledge, they now can leverage our search engine ranking potential for criminal enterprise.

In part, this is made possible because of Evergreen Googlebot and JavaScript. Attackers locate and then target vulnerabilities in highly ranked websites in order to compromise them for use with a NodeJS malware framework called Gootkit, (a play on the word: ‘rootkit‘), to power artificial pages under otherwise totally authoritative domain names.

Gootkit framework’s SEO template

Here’s how it works: Generated code detects Googlebot, ordinary users, and especially Google search users. With an advanced idea of potential victim’s Google search queries, hackers create a forum post thread template with a malware download link that is designed to show up in Google SERPs as the perfect resource answer for those searches.

For example, an employee on a Windows network uses Google to find a resource to download a legit-looking zip archive. This user doesn’t know that the download contains scrambled JavaScript with a multi-step decoding routine that re-assembles and runs scripts after successfully evading detection. If opened, the download will install Gootkit’s trojan and communicate with the attacker’s machine, hosting the server-side portion of the framework. The infected search user’s system is prepared to run the trojan on the restart from then onward.

Fileless attack?

Once launched, everything on the infected computer operates using system memory without further use of the filesystem. The novelty of this type of attack, using the power of JavaScript in a sophisticated “fileless” way to serve as a detection evasion strategy, is the reason malware analysis company Sophos deemed it worthy enough to differentiate it from more ordinary trojan loading procedures by name: Gootloader.

And as if that weren’t nefarious enough, historically speaking, Gootkit was primarily used to distribute banking malware Kronos via email. Now, with the advent of the latest “improvement” to the framework, Gootkit armed criminals to be able to use Google for distribution and access a payload architecture extended to include handling (and possibly managing) ransomware extortion schemes.

Ransomeware is highly effective when coupled with the exfiltration of secrets to add blackmail pressure for companies and institutions to pay up. This attack is very difficult to guard against, or for anti-malware software to detect the presence of. It might even fool seasoned IT professionals in a hurry. Ordinary workforce Google search users hardly stand a chance.

It adds system Registry Key/Value pairs as part of obfuscating its own decoding keys and variable names, which can lead to a way to uncover it. More obviously, the topic of the fake thread in a successful attack on a compromised website will likely vary from the rest of the site’s content. Detecting that thread by content analysis and especially through telltale signs from HTML template malware output could be how Google can discover compromised sites and alert site owners.

What about other search engines?

At this time, it doesn’t appear that criminal users of the Gootkit malware framework have targeted other search engines to poison SERPs. Theoretically, there is nothing stopping them from doing exactly that. The Gootkit framework author(s) might be to blame if they only ever cared to filter for Googlebot’s user-agent. A source modification is not always in the skill set of the criminal end-user.

Why we care

I’ve actually seen this type of attack in action with SEO clients, and they are only going to get worse and become more frequent. Gootkit goes back to 2014, and we briefly discussed a case from back then in our SMX Workshop: SEO for Developers. Future workshops with more depth on security topics may divulge additional details given the distance in time from that particular incident and because information security is in our wheelhouse. It serves both as a warning and lesson for developers.

If it happens to any sites you’re working on, you’ll have to go to the root to solve it. In our case, it was PHP’s eval() that maliciously published a fake sports memorabilia e-commerce website under a popular Chicago pizza chain restaurant’s domain name. The attack attempted to piggyback on the ranking potential of the popular domain name and the topic relevancy between pizza and sports. In our capacity as their interactive agency, we were in a position to analyze log files which led to us uncover and remove the malware entry point and install safeguards to try and prevent from such things happening again.


New on Search Engine Land

    What are your secrets to overcoming marketing challenges? Take our survey

    10 reasons to join us at SMX Advanced online this June

    How to ensure influencers help your SEO campaigns

    Webinar: Dominate your competition with Google auction insights and search intelligence

    Vimeo adds structured data to all public videos to improve Google Search visibility

About The Author

Detlef Johnson
Detlef Johnson is the SEO for Developers Expert for Search Engine Land and SMX. He is also a member of the programming team for SMX events and writes the SEO for Developers series on Search Engine Land. Detlef is one of the original group of pioneering webmasters who established the professional SEO field more than 25 years ago. Since then he has worked for major search engine technology providers such as PositionTech, managed programming and marketing teams for Chicago Tribune, and advised numerous entities including several Fortune companies. Detlef lends a strong understanding of Technical SEO and a passion for Web development to company reports and special freelance services.

Related Topics

SEO

Get the daily newsletter search marketers rely on.

Processing...Please wait.

See terms.

ATTEND OUR EVENTS

Learn actionable search marketing tactics that can help you drive more traffic, leads, and revenue.

March 8-9, 2022: Master Classes (virtual)

June 14-15, 2022: SMX Advanced (virtual)

November 15-16, 2022: SMX Next (virtual)

Learn More About Our SMX Events

Discover time-saving technologies and actionable tactics that can help you overcome crucial marketing challenges.

Start Discovering Now: Spring (virtual)

September 28-29, 2022: Fall (virtual)

Learn More About Our MarTech Events

Webinars

Data-Driven Answers to Achieve Omnichannel Success

Is Your Marketing Stack Ready for Omnichannel CX?

Outrank in Organic Search with These 5 Core Tactics

See More Webinars

Intelligence Reports

Enterprise SEO Platforms: A Marketer’s Guide

Enterprise Identity Resolution Platforms

Email Marketing Platforms: A Marketer’s Guide

Enterprise Sales Enablement Platforms: A Marketer’s Guide

Enterprise Digital Experience Platforms: A Marketer’s Guide

Enterprise Call Analytics Platforms: A Marketer’s Guide

See More Intelligence Reports

White Papers

Realising the power of virtual events for demand generation

The Progressive Marketer’s Ultimate Events Strategy 2022 Worksheet

CMO Guide: How to Plan Smart and Pivot Fast

The Retail Renaissance Report, USA Edition: 4 Keys to Predicting Online & In-Store Demand Across Global Markets

Thinking Bigger About Marketing Budgets

See More Whitepapers

Receive daily search news and analysis.

Processing...Please wait.

Topics

  • SEO
  • PPC

Our Events

  • Search Marketing Expo - SMX
  • MarTech

About

  • About Us
  • Contact
  • Privacy
  • Marketing Opportunities
  • Staff

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • Newsletters
  • RSS
  • Youtube

© 2022 Third Door Media, Inc. All rights reserved.