GootLoader is Back

10086538496?profile=RESIZE_400xThe operators of the GootLoader campaign are targeting employees of accounting and law firms as part of a renewed effort of cyberattacks to deploy malware on infected systems.  This is an unfortunate sign that the adversary is expanding its focus to other high-value targets.  The Gootkit malware family has been around for five years or more, and is used to distribute code such as ransomware, which can encrypt the files on a Windows computer and only release them once a ransom is paid.

Gootloader uses malicious search engine optimization (SEO) techniques to enter into Google search results.  The way it accomplishes this task deserves some discussion, because it centers as much around technology as human psychology.  A malicious result that delivers Gootloader appears legitimate, even to Google searches.

GootLoader is a stealthy initial access malware, which after getting a foothold into the victim's computer system, infects the system with ransomware or other lethal malware, researchers reported.  The cybersecurity investigator said that it had intercepted and dismantled intrusions aimed at three law firms and an accounting enterprise.  The names of the victims were not disclosed.

Malware can be delivered on targets' systems via many methods, including poisoned search results, fake updates, and trojanized applications downloaded from sites linking to pirated software.  The hackers get people to visit the infected sites by posting content that answers a very specific question, which sees the infected site appear at the top of Google’s search results when people search for answers.

In March 2021, details emerged of a global drive-by download offensive that involved tricking unsuspecting victims into visiting compromised WordPress websites belonging to legitimate businesses via a technique called search engine poisoning that pushes these sites to the top of the search results.

"Their modus operandi (MO) is to entice a business professional to one of the compromised websites and then have them click on the link, leading to Gootloader, which attempts to retrieve the final payload, whether it be ransomware, a banking trojan or intrusion tool/credential stealer," the researchers explained in a write-up.

Researchers estimate that over 100,000 malicious webpages were set up during 2021 across websites representing entities in the hotel industry, high-end retail, education, healthcare, music and visual arts, with one of the hacked websites hosting 150 rogue pages designed to social engineer users searching for postnuptial or intellectual property agreements.[1]

The websites, for their part, are broken into by exploiting security vulnerabilities in the WordPress content management system (CMS), effectively permitting the attackers to clandestinely inject the pages of their liking without the website owner's knowledge. The nature of GootLoader and the way it is designed to provide a backdoor into systems implies that the goal of the attacks could be intelligence gathering, but it could also be utilized as a tool for delivering additional damaging payloads, including Cobalt Strike and ransomware, to compromised systems for follow-on attacks.

GootLoader relies heavily on social engineering to establish its foothold, from poisoning Google search results to fashioning the payload.  GootLoader's operators invite employees to seek, download, and execute their malware under the guise of a free business agreement template.  This is particularly effective against legal firms, who may encounter uncommon requests from clients.

To mitigate such threats, it is recommended that organizations put in place a vetting process for business agreement samples, continually train employees to open documents only from trusted sources, and ensure that the content downloaded matches the content intended to be downloaded. 

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization who has long collected and analyzed cyber indicators.  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or    

Weekly Cyber Intelligence Briefings:

 Weekly Cyber Intelligence Briefings:

 REDSHORTS - Weekly Cyber Intelligence Briefings


E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!