fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Hackers Use Black Hat SEO To Push Ransomware, Trojans Via Google

Hackers Use Black Hat SEO To Push Ransomware, Trojans Via Google

The delivery system for the Gootkit information stealer has evolved into a complex and stealthy framework, which earned it the name Gootloader, and is now pushing a wider variety of malware via hacked WordPress sites and malicious SEO techniques for Google results.

Apart from increasing the number of payloads, Gootloader has been seen distributing them across multiple regions from hundreds of hacked servers that are active at all times.

Fake forums start the malware flow

Malware campaigns relying on Gootloader’s mechanism have been spotted last year delivering REvil ransomware to targets in Germany. The activity marked a restart of Gootkit operations that took a long break after a data leak towards the end of 2019.

The actors regrouped by forming a vast network of hacked WordPress sites and using SEO poisoning to show in Google forum posts fake forums with malicious links.

The fake message boards appear only to visitors from specific geographies and present them a “discussion” that allegedly contains the answer to their query in a post from “site administrator,” who publishes a link to a malicious file.

A report today from cybersecurity company Sophos estimates that Gootloader controls about 400 servers active at any time that host hacked, legitimate websites.

The researchers say that the threat actor modified the content management system (CMS) of the hacked websites to show the fake message boards to visitors from specific locations.

Also Read: What Do 4 Messaging Apps Get From You? Read The iOS Privacy App Labels

In an example of a hacked site that is part of the Gootloader framework, the fake forum post appears to provide an answer for a very specific search query related to real estate transactions.

source: Sophos

However, the result is on a site for a neonatal medical practice that has nothing in common with the searched topic, “yet it is the first result to appear in a query about a very narrowly defined type of real estate agreement.”

Apart from the typical payload, Gootkit and REvil ransomware, Gootloader has also been observed to deliver Kronos trojan and the Cobalt Strike threat emulation toolkit.

According to Sophos, Gootloader campaigns target visitors from the U.S. Germany, and South Korea. Another country that’s been targeted previously is France.

Clicking on the link takes the visitor to a ZIP archive of a JavaScript file that acts as the initial infector. Sophos notes that this is the only stage where a file is written to disk and that all the other malware is deployed in the system memory, so traditional security tools can’t detect it.

All forum posts look the same, regardless of their language. If the visitor does not match the target profile, they see a fake page with text that looks normal at the beginning but turns into an unintelligible ramble towards the end.

Twists and turns of the infection chain

The initial JavaScript payload is twice obfuscated to evade detection from traditional antivirus solutions. It also includes two layers of encryption to strings and data blobs that relate to the next stage of the attack, which is the sole purpose of the malicious code.

If the move to the second stage is successful, the Gootloader command and control (C2) server delivers a string of numeric values that represent ASCII characters, which is loaded into the system memory.

“This stage contains a large blob of data that it, first, decodes from its numeric value into text, then writes directly into a series of keys in the Windows Registry, under the HKCU\Software hive” – Sophos

The same method was observed last year by Malwarebytes when the researchers analyzed the delivery of REvil ransomware to German targets via Gootkit’s delivery framework.

source: Sophos

In the next step, an autorun entry is created for a PowerShell script so that it loads at each system reboot. It’s purpose is to decode the contents written earlier in the registry keys. This ultimately ends with downloading the final payload, which can be Gootkit, REvil, Kronos, or Cobalt Strike.

Sophos says that the latest Gootloader samples use the registry to store two payloads, a small C# executable which is responsible with extracting a second executable from the data stored in Windows Registry.

This second executable is Gootloaders final payload, an intermediary dotNET injector that deploys a Delphi-based malware using the process hollowing technique.

Sophos saw at least two legitimate applications used for this process: the ImagingDevices.exe system component that is available in Windows and the Embarcadero External Translation Manager.

source: Sophos

This Delphi malware is the last link in the infection chain as it includes a encrypted copy of REvil, Gootkit, Cobalt Strike, or Kronos. It decrypts the payload it carries and executes it in memory.

All these twists and turns at each stage of the attack are buying the attacker some time to carry out their campaigns as malware analysts can spend a lot of time understanding every step in the infection chain.

Furthermore, Sophos says that there are multiple variations for the delivery methods that involve additional PowerShell scripts, Cobalt Strike modules, or code-injector executables.

Also Read: Key PDPA 2019/2020 You Should Know

The researchers say that using script blockers could keep users at bay from this threat as they can prevent the replacement of the hacked page. However, this solution is popular with a small number of users and a large pool of potential victims still remains.

Sophos has published a technical analysis of the Gootloader infection chain and makes available on its GitHub page indicators of compromise and a Yara rule for its malicious JavaScript files.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us