Hackers update Gootkit RAT to use Google searches and discussion forums to deliver malware

It was only a matter of time before cybercriminals turned their attention to one of the most common activities on the internet— a Google search. The latest trick is using long-tail search terms and legitimate websites to deliver the Gootkit remote access trojan.

This latest iteration of the Gootkit RAT uses “malicious search engine optimization techniques to squirm into Google search results,” as Sophos analysts describe it in a blog post. The cybersecurity firm reports that criminals are using this new variation they call Gootloader to deliver malware payloads in North America, South Korea, Germany and France. The Sophos research found that bad actors are not targeting other search engines as frequently or as successfully. 

SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)

Chris Rodgers, CEO and founder of Colorado SEO Pros, said that this new tactic uses Google as a gateway and SEO knowledge, particularly about long-tail searches.

“They had to go in and find topics that are low competition and low search volume and they  have to be doing this at massive volume for it to be lucrative,” he said.

Hackers seem to be getting control through content management systems like WordPress and via plugins.

“That is a definite doorway and from there being able to create these fake forms,” he said. “It’s pretty creative as shady hacking stuff goes.”

Gaurav Banga, founder and CEO of cybersecurity company Balbix, said that with the recent Gootloader malware, bad actors are “SEO poisoning” by compromising legitimate and highly -trafficked websites by accessing the site back-end, editing content to improve SEO, and…