Emerging Threat Alert: Drive-by-Compromise on the Rise as GootLoader Malware Exploits SEO Poisoning to Target Victims.

Historically, threat actors (TAs) have commonly used three main methods to gain initial access to systems: exploiting known vulnerabilities, targeting remote access services, and phishing. However, in recent incident response engagements, Kivu has observed a fourth initial access method known as Drive-by-Compromise, which is gaining prevalence. In these Drive-by-Compromise incidents, the primary malware of concern is GootLoader.

GootLoader is a malicious software that originated from the 2014 banking trojan GootKit and has gained popularity since 2021. GootLoader employs a technique called Search Engine Optimization[1] (SEO) poisoning to manipulate search results. This technique leads victims to compromised websites hosting the GootLoader payload when specific search terms are used.

For example, if an individual were to search for “third party liability settlement,” they might encounter a compromised website in the top search results. Upon clicking on this compromised website, the victim unknowingly downloads the initial GootLoader payload with the following naming convention: <search terms>_agreement_<campaignid>.zip. So, in this example, the file may be named Third_party_liability_settlement_agreement_12345.zip.

The downloaded zip file contains obfuscated JavaScript-basedGootloader malware, which employs techniques to evade browser and antivirus detection. Once downloaded, GootLoader establishes persistence on the system through a scheduled task.  This spawns PowerShell to serve as its initial Command & Control (C2) agent. This access is subsequently sold as part of an Initial-Access-as-a-Service (IAaaS) offering to other threat actors. The GootLoader C2 agent is capable of logging keystrokes, taking screenshots, stealing credentials, executing commands, and dropping further tools such as Cobalt Strike.

Mitigations

1.    Only download files from trusted sources

2.    Use a top-tier EDR product on all hosts.

3.    If not required for business operations, don’t allow JavaScript (.js and .jse) files to execute on your user workstations automatically.

[1] A technique used to get malicious websites higher up in search engine rankings so the malicious sites are more likely to be presented to end users.