Security experts are using malware’s own code to protect potential victims
Hacking the hackers: Gootloader is a long-running cyber-criminal operation based on an “initial access-as-a-service” model: the gang behind the malware infects organizations. Then it sells access to “customers” looking for an entry point to go deeper into the victim’s network. To successfully thwart the operation, researchers fought fire to with fire.
The Gootloader malware originated from the Gootkit banking trojan, which has been active against European targets since 2010. The malicious operation allows third-party criminals to put their malware (especially ransomware) into a compromised network. The gang behind it has been particularly successful over the past several years.
Security researchers at eSentire have tracked recent Gootloader activities and are now explaining how it works and what’s needed to fight it. The Gootloader operation uses SEO poisoning techniques, luring potential victims to an “enormous array” of compromised WordPress blogs.
The operation is tailored to exploit victims more inclined to pay a ransom to get their data back. The blogs are populated with bait content, including links to malicious documents, templates, and other generic forms. When the target clicks these links, they unintentionally infect Windows with the main Gootloader malware.
Gootloader’s most common victims are professionals working for law firms and corporate legal departments. The analysts explain that bad actors use blog posts about legal agreements and contracts to lure people in those positions into downloading their malicious code. Legal professionals have essentially been the primary target of the Gootloader gang for the past 15 months, with 12 different organizations targeted between January and March 2023.
The eSentire researchers created a specialized web crawler to keep track of Gootloader-related web pages and previously infected sites. They found around 178,000 live Gootloader pages and another 100,000+ previously infected sites. The researchers collected evidence that links Gootloader to the infamous Russian REvil gang, which regularly partnered with the malware’s network between 2019 and 2020 to infect, encrypt, and scam compromised organizations.
