The Gootloader malware family has been employing sophisticated blackhat SEO techniques to infect unsuspecting users.

This malware uses a multi-stage infection process that begins with compromised WordPress sites and ends with the delivery of dangerous payloads.

Gootloader’s operators compromise legitimate WordPress websites and inject malicious code that allows them to manipulate search engine results.

When users search for specific terms, often related to legal agreements or business documents, the compromised sites appear near the top of results.

Security researchers at Sophos noted that upon visiting one of these sites, victims are presented with a fake forum page that appears to answer their exact query.

This page contains a download link purporting to provide the document the user was searching for. However, clicking this link actually delivers the first-stage Gootloader payload – a malicious JavaScript file.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Blackhat SEO Techniques

The compromised WordPress sites contain injected PHP code that communicates with a command and control server, referred to as the “mothership”. This server provides the fake forum content and malicious payloads dynamically.

Key technical aspects include:-

• Use of a WordPress database table called “backupdb_wp_lstat” to block repeat visitors from the same IP range for 24 hours.
• Injection of malicious code into the Hello Dolly WordPress plugin to maintain persistence.
• Use of heavily obfuscated JavaScript code in the first-stage payload.
• Communication with C2 servers using base64 encoding and custom parameters.

Gootloader employs several blackhat SEO methods:-

1. Injecting hidden elements with targeted keywords into compromised sites.
2. Creating fake forum discussions that exactly match search queries.
3. Manipulating WordPress databases to serve malicious content to search engines.

The malware maintains persistence by modifying core WordPress files and plugins. It uses extensive code obfuscation to evade detection. The operators frequently rotate IP addresses and domains for their C2 infrastructure.

Despite being first discovered in 2018, Gootloader remains an active and evolving threat. The operators have maintained much of the same infrastructure, including the domain my-game[.]biz, which has been linked to the malware since its inception.

The website my-game used to belong to a German Counter-Strike team before it became home to the malicious Gootkit/Gootloader program.

Security researchers have been able to piece together much of Gootloader’s functionality through open-source intelligence and analysis of compromised sites. However, the full server-side code remains elusive, as it resides on attacker-controlled infrastructure.

YARA Rule for Detecting Gootloader’s First-Stage JScript Files:-

rule gootkit_js_stage1
{
strings:
$a1 = /function .{4,60}{return .{1,20} % .{0,8}(.{1,20}+.{1,20});}/
$a2 = /function [\w]{1,14}(.{1,14},.{1,50}) {return .{1,14}.substr(.{1,10},.{1,10});}/
$a3 = /function [\w]{1,14}(.{1,50}) {return .{1,14}.length;.{1,4}}/
$a4 = /function [\w]{1,14}(.{0,40}){.{0,40};while ([\w]{1,20} < [23][\d]{3}) {/
$b1 = /;WScript.Sleep([\d]{4,10});/
$b2 = /function [\w]{1,14}(.{0,40}) {.{0,40};while([\w]{1,20}<([\w]{1,14}*[\d]{4,10}) {/
condition:
3 of ($a) and 1 of ($b)
}

Organizations are advised to implement robust web filtering, keep WordPress installations fully patched, and educate users about the risks of downloading documents from unfamiliar websites.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar