Security News > 2021 > March > Malware Loader Abuses Google SEO to Expand Payload Delivery
The Gootloader malware loader, previously used for distributing the Gootkit malware family, has undergone what researchers call a "Renaissance" when it comes to payload delivery.
New research released this week paints Gootloader as an increasingly sophisticated loader framework, which has now expanded the number of payloads its delivers beyond Gootkit, to include the Kronos trojan and the Cobalt Strike commodity malware.
Gootloader is known for its multi-stage attack process, obfuscation tactics, and for using a known tactic for malware delivery called search engine optimization poisoning.
"The malware delivery method pioneered by the threat actors behind the REvil ransomware and the Gootkit banking Trojan has been enjoying a renaissance of late, as telemetry indicates that criminals are using the method to deploy an array of malware payloads in South Korea, Germany, France, and across North America," said Gabor Szappanos and Andrew Brandt, security researchers with Sophos Labs on Monday.
In addition to its use of SEO poisoning, what sets Gootloader apart is its fileless malware delivery tactics, they said.
Fileless malware uses trusted, legitimate processes that allows the malware delivery mechanism to evade antivirus products.
News URL
https://threatpost.com/malware-loader-google-seo-payload/164377/
Related news
- Fake Homebrew Google ads target Mac users with malware (source)
- Crypto-stealing iOS, Android malware found on App Store, Google Play (source)
- Fake Google Chrome Sites Distribute ValleyRAT Malware via DLL Hijacking (source)
- Week in review: Exploited 7-Zip 0-day flaw, crypto-stealing malware found on App Store, Google Play (source)
- SpyLend Android malware downloaded 100,000 times from Google Play (source)