In an unusually particular marketing campaign, customers looking concerning the legality of Bengal Cats in Australia are being focused with the GootLoader malware.
“On this case, we discovered the GootLoader actors utilizing search outcomes for details about a selected cat and a selected geography getting used to ship the payload: ‘Are Bengal Cats authorized in Australia?,'” Sophos researchers Trang Tang, Hikaru Koike, Asha Citadel, and Sean Gallagher mentioned in a report printed final week.
GootLoader, because the identify implies, is a malware loader that is sometimes distributed utilizing search engine marketing (search engine marketing) poisoning ways for preliminary entry.
Particularly, the malware is deployed onto sufferer machines when looking for sure phrases like authorized paperwork and agreements on serps like Google floor booby-trapped hyperlinks pointing to compromised web sites that host a ZIP archive containing a JavaScript payload.
As soon as put in, it makes method for a second-stage malware, usually an data stealer and distant entry trojan dubbed GootKit, though it has additionally been noticed delivering different households akin to Cobalt Strike, IcedID, Kronos, REvil, and SystemBC previously for post-exploitation.
The newest assault chain isn’t any totally different in that searches for “Do you want a license to personal a Bengal cat in Australia” floor outcomes that embody a hyperlink to a legitimate-but-infected web site belonging to a Belgium-based LED show maker, from the place victims are prompted to obtain a ZIP archive.
Current inside the ZIP archive is a JavaScript file that is then liable for kicking off a multi-stage assault chain that culminates within the execution of a PowerShell script able to harvesting system data and fetching extra payloads. It is price noting that an an identical marketing campaign was documented by Cybereason earlier this July.
Sophos mentioned it didn’t observe the deployment of GootKit within the case the corporate analyzed, thereby stopping the obtain of extra malware.
“GootLoader is one in all quite a few persevering with malware-delivery-as-a-service operations that closely leverage search outcomes as a way to succeed in victims,” the researchers mentioned. “The usage of search engine marketing, and abuse of search engine promoting to lure targets to obtain malware loaders and dropper, aren’t new—GootLoader has been doing this since at the very least 2020.”
