They make their delivery sites popular on Google before deploying their malware.
Evil genius at work! Hackers have started using search engine optimization (SEO) techniques to deploy malware to even more victims.
Sophos, the cybersecurity firm, has identified this new technique. They call it search engine “deoptimization”. The method includes SEO tricks and psychological tricks to give compromised websites higher Google rankings.
SEO optimization is a technique webmasters use to increase their website’s exposure on search engines such as Google or Bing. Sophos says that malefactors are now using the content management systems (CMS) of websites to serve financial malware, exploit tools, and ransomware.
The Sophos team said that they decided to break with tradition and actually assign a sopecial name to this delivery technique, rather than simply combine the delivery method with the payload.
They have called this SEO-optimization-based method “Gootloader”. The technique involves deployment of the infection framework for the Gootkit Remote Access Trojan (RAT). Gootkit also delivers a variety of other malware payloads.
Sophos says that this SEO technique to deploy Gootkit RAT is actually a very sophisticated operation. The researchers estimate that the hackers must maintain a network of servers that also host legitimate websites for the Gootloader to succeed.
The threat actors then obtain access, and they insert few lines of code into the body of website content. They then manipulate the compromised websites to answer specific search queries.
Using psychology to trick victims
Sophos says that the compromised web pages then respond to a search query. “If the right conditions are met…the malicious code running server-side redraws the page to give the visitor the appearance that they have stumbled into a message board or blog comments area in which people are discussing precisely the same topic,” the researchers say.
Victims who click on the direct download links embedded in these redrawn pages will receive a .zip archive that contains a .js file. The hackers even name the .zip file in relation to the search term.
The .js file then executes on the victims computer, runs in memory, and it then decrypts more code to call other payloads.
According to Sophos, hackers re using this technique to spread the Gootkit banking Trojan, Kronos, Cobalt Strike, and REvil ransomware, among other malware variants. They are currently active in South Korea, Germany, France, and the United States.