Hackers use SEO techniques to massively distribute banking Trojans and ransomware

A security report prepared by Sophos’s researchers mentions that the cybercriminal community has found a way to abuse search engine optimization (SEO) methods in order to deploy malware to as many victims as possible in a single attack. According to experts, this method of “deoptimization” includes SEO techniques and social engineering in order to place compromised websites in the top of Google.

It should be remembered that SEO optimization refers to the techniques used by website administrators to organically increase the exposure of their platforms in the most popular search engines. The report mentions that malicious hackers can manipulate content management systems (CMS) to deploy malware using these techniques.

The technique was dubbed “Gootloader” and requires the implementation of a remote access Trojan (RAT) of the same name, which includes other malware variants to use on further attacks. Experts believe this campaign involves the use of around 400 malicious servers, so this is a considerable criminal effort.

Although the method used by hackers to compromise domains is still unknown, experts mention that CMSs running the backend of these websites could be compromised using the malware associated with this campaign. Once they gain access, malicious hackers insert some lines of code to perform checks on the content of the affected site, IP address, location, and queries originating from Google.

Affected websites are manipulated to respond to specific search queries, and their settings are modified and how site content is presented to users. In most cases, users who enter an attacked website find a normal-looking website that in the end becomes junk text. A fake post will then be displayed on the forum containing an apparent response to the query, as well as a direct download link.

If a user interacts with these links, they will receive a ZIP file with a name related to the terms used in addition to a .js file running in memory, and then the hidden code is decrypted to activate the other payloads included in Gootloader. This attack includes the Gootkit banking Trojan infection and some ransomware variants like Kronos, Cobalt Strike and REvil.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.