A Gootloader malware campaign has been identified that uses Google Ads for initial contact with businesses, luring them in with realistic ads on a legitimate and trusted platform and tricking them into installing malware. Gootloader is a type of malware used to gain initial access to devices. First identified in 2020, the malware is used to attack Windows-based systems and deliver additional malware payloads. For example, the malware has been used to deliver Gootkit, a banking Trojan with information-stealing capabilities, and Gootloader is part of an “initial access as a service” platform, providing cybercriminal groups with the access they need to achieve their aims. For instance, access can be sold to ransomware groups.
Historically, Gootloader malware has been distributed via search engine (SEO) poisoning, which abuses Google and other search engines. This technique involves manipulating search engines to get malicious sites to appear high up in the search engine listings for key terms. By using SEO techniques, malicious sites appear high in the listings, giving Internet users the impression that the website is legitimate while also ensuring that enough people see the listing and click.
The latest campaign uses Google Ads to achieve the same purpose – getting a malicious site in front of users and giving them a reason to download a file. In this campaign, small businesses and other potentially high-value targets can be infected, which will be of interest to ransomware groups. Google performs checks of advertisers, and the company is usually able to prevent malicious adverts from appearing on the network; however, from time to time, those checks fail.
In this case, the campaign is attributed to a legitimate-sounding advertiser called Med Media Group Limited, which uses legal document templates such as contracts and non-disclosure agreements to attract small businesses. Fake websites are used in the campaign that appear legitimate, such as lawliner[.com]. The campaign has been configured to display ads for searches for legal documents, with the adverts claiming they provide a free template for the document with no sign-up required and no registration needed.
If the ad is clicked, the user is directed to a legitimate-looking and professional webpage. They are asked to enter their email address, and a link is sent via email for them to download the required document. The link directs the user to a different website, which triggers the download of a zip file containing a file that appears to be the document they require. For instance, the ad offering a non-disclosure agreement contains a file called non_disclosure_agreement_nda.js. The email directs the user to a site called skhm[.]org. The footer of the email claims the service is SKHM (Store, Keep, Host & Mail), and a mailing address is included along with a contact mobile phone number for a UK company called ENDOLE LTD.
The provision of a company name and contact information adds legitimacy, and if the provided number is called, they will be told that the company and the file are legitimate; however, that is certainly not the case. The downloaded file is JavaScript, and if it is executed, it will deliver Gootloader malware, which will establish persistence and reach out to its command-and-control server. After conducting reconnaissance to discover the local and networked environment, it will deliver secondary malware payloads.
The key to avoiding Gootloader infections is security awareness. There are several red flags with this campaign, although they can easily be missed. Registration on a site is usually required in order to get something for free. The site where the download occurs is different from the site used for the ad campaign, and the file is delivered in a zip file rather than a standard Word document or PDF. Further, a close look at the file will reveal it is an executable .js file, and a warning will be generated if an attempt is made to open the file, requiring confirmation before the file is executed.
Businesses should ensure that security awareness training is provided to employees to explain all of these red flags and other ways that cybercriminals use to distribute malware and phish for sensitive data. The SafeTitan security awareness training and phishing simulation platform makes it easy to create and automate training courses and phishing simulations. Businesses should also consider using a DNS filter to restrict access to malicious websites and block malware downloads from the Internet. The WebTitan DNS filter allows category-based filtering, preventing users from visiting certain risky categories of websites and websites serving no work purpose. WebTitan is constantly fed threat intelligence from a vast network of end users and will block access to malicious websites within a few minutes of a website or webpage being determined to be malicious, including redirects to malicious sites from compromised, legitimate websites. The solution can also be configured to prevent file downloads from the internet by file type, thus helping to prevent malware downloads. TitanHQ also offers a full suite of cybersecurity solutions, including anti-spam software with email sandboxing, anti-phishing protection, and email encryption and email archiving solutions.