Security News > 2021 > March > Malware Loader Abuses Google SEO to Expand Payload Delivery
The Gootloader malware loader, previously used for distributing the Gootkit malware family, has undergone what researchers call a "Renaissance" when it comes to payload delivery.
New research released this week paints Gootloader as an increasingly sophisticated loader framework, which has now expanded the number of payloads its delivers beyond Gootkit, to include the Kronos trojan and the Cobalt Strike commodity malware.
Gootloader is known for its multi-stage attack process, obfuscation tactics, and for using a known tactic for malware delivery called search engine optimization poisoning.
"The malware delivery method pioneered by the threat actors behind the REvil ransomware and the Gootkit banking Trojan has been enjoying a renaissance of late, as telemetry indicates that criminals are using the method to deploy an array of malware payloads in South Korea, Germany, France, and across North America," said Gabor Szappanos and Andrew Brandt, security researchers with Sophos Labs on Monday.
In addition to its use of SEO poisoning, what sets Gootloader apart is its fileless malware delivery tactics, they said.
Fileless malware uses trusted, legitimate processes that allows the malware delivery mechanism to evade antivirus products.
News URL
https://threatpost.com/malware-loader-google-seo-payload/164377/
Related news
- Azure domains and Google abused to spread disinformation and malware (source)
- Cyberattackers Exploit Google Sheets for Malware Control in Likely Espionage Campaign (source)
- New Voldemort malware abuses Google Sheets to store stolen data (source)
- Malware locks browser in kiosk mode to steal Google credentials (source)
- Android malware 'Necro' infects 11 million devices via Google Play (source)
- New Octo Android malware version impersonates NordVPN, Google Chrome (source)