Threat Alert

by IthacaLabs™

THREAT LEVEL/High 02/03/2021

New Malware Campaign exploiting “SEO”

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a new malware campaign, spreading worldwide, has been identified.

This malware campaign consists of a Javascript-based infection framework, for the “Gootkit RAT” that deploys an array of malware payloads in order to steal credentials from their targeted victims and/or to perform a number of malicious actions.

The “Gootkit” malware family is a mature banking Trojan that has been around more than half a decade.

The delivery mechanism of the “Gootkit” malware, named “Gootloader”, makes use of search engine optimization (SEO) poisoning techniques in order to pass hacked websites into Google’s top search results.

Furthermore, “Gootloader” delivery mechanism has converted much of its infection infrastructure to “file-less” state. This means that through the infection process, none of the malicious code is written to disk.

In addition, “Gootloader”, by using trusted, legitimate processes, attempts to evade antivirus products. This means that, instead of actively attacking endpoint tools, “Gootloader” have been optimized in order to evade protection mechanisms to conceal its malicious actions.

This type of malware campaign indicates that the abuse of Search Engine Optimization (SEO), an old evasive technique, is on the rise again and that the cyber-criminals tend to reuse their proven solutions instead of developing new delivery mechanisms.

CVE(s)

N/A

Affected Systems

  • N/A

Recommendation(s)

The guidelines below will help you protect against malware and its associated security threats:
* Consider the use of script blockers in your browser, so even if a user visits a hacked website, the initial script that propagates the malware won’t execute itself.
* Consider the use of different web search engines.
* Ensure behavioral detection rules are in place within your organization, as it can block the particular infection in middle stages, before the final payload gets delivered to your machine.
* Indicators of compromise, including a Yara threat hunting rule can help incident responders find similar Javascript files.
* Check for any applications or scripts that it shouldn’t be in the startup process.
* URL Filtering mechanisms should be in place.
* Consider enabling the “Show hidden file-extensions”.
* Install anti-virus and spyware detection software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product.
* Update your computers regularly with the latest versions and patches of both antivirus and antispyware software.
* Ensure computers are patched regularly, particularly operating system and key application with security patches.
* Back up your data. The single biggest thing that will defeat ransomware is having a regularly updated backup.
* It is strongly recommended to implement a Security Awareness program, addressed to all your management and staff, designed to increase the level of understanding regarding Social Engineering and security threats in general.

Finally, in case that a system is compromised, it should be immediately removed from the network.

References

Get the latest Threat Alerts in your inbox.