New Malware Campaign exploiting “SEO”
Threat Level Description
Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.
We have observed that a new malware campaign, spreading worldwide, has been identified.
The “Gootkit” malware family is a mature banking Trojan that has been around more than half a decade.
The delivery mechanism of the “Gootkit” malware, named “Gootloader”, makes use of search engine optimization (SEO) poisoning techniques in order to pass hacked websites into Google’s top search results.
Furthermore, “Gootloader” delivery mechanism has converted much of its infection infrastructure to “file-less” state. This means that through the infection process, none of the malicious code is written to disk.
In addition, “Gootloader”, by using trusted, legitimate processes, attempts to evade antivirus products. This means that, instead of actively attacking endpoint tools, “Gootloader” have been optimized in order to evade protection mechanisms to conceal its malicious actions.
This type of malware campaign indicates that the abuse of Search Engine Optimization (SEO), an old evasive technique, is on the rise again and that the cyber-criminals tend to reuse their proven solutions instead of developing new delivery mechanisms.
The guidelines below will help you protect against malware and its associated security threats:
* Consider the use of script blockers in your browser, so even if a user visits a hacked website, the initial script that propagates the malware won’t execute itself.
* Consider the use of different web search engines.
* Ensure behavioral detection rules are in place within your organization, as it can block the particular infection in middle stages, before the final payload gets delivered to your machine.
* Check for any applications or scripts that it shouldn’t be in the startup process.
* URL Filtering mechanisms should be in place.
* Consider enabling the “Show hidden file-extensions”.
* Install anti-virus and spyware detection software on all computer systems. Free software may not provide protection against the latest threats compared with an industry standard product.
* Update your computers regularly with the latest versions and patches of both antivirus and antispyware software.
* Ensure computers are patched regularly, particularly operating system and key application with security patches.
* Back up your data. The single biggest thing that will defeat ransomware is having a regularly updated backup.
* It is strongly recommended to implement a Security Awareness program, addressed to all your management and staff, designed to increase the level of understanding regarding Social Engineering and security threats in general.
Finally, in case that a system is compromised, it should be immediately removed from the network.