Cybersecurity Cyber Security Hacker

Sophos discovers Gootloader mothership controls malicious content

Gootloader, a malware delivery platform, has been poisoning websites with malicious content, cybersecurity solutions firm Sophos discovered. The malware also messes up with the websites’ search engine optimization (SEO) “to ensure that these hacked websites appeared among the top search results.”

By putting it above search, unsuspecting internet surfers will click on the infected website and infecting their own devices or platforms. This ensures the quick spread of the malware.

“Gootloader uses SEO optimization and social engineering, a combination that is not commonly seen in malware delivery,” said Gabor Szappanos, threat research director at Sophos. “The usually recommended safety instructions to overcome common threats are not sufficient here. Organizations need to understand how this type of attack works, as outlined in the Sophos research, to be able to recognize it and be ready and able to defend against it.”

Keep ransomware at bay with Sophos Managed Threat Response

Education sector, hardest hit by ransomware in 2020 — Sophos

The discovery of Gootloader is among the latest findings in a Sophos research published recently.

The security researchers also found that there is no rudimentary process, as the search results that deliver Gootloader pages are often the top result for the specific query that leads victims to them. The “mothership server,” according to Sophos, controls the infection process and provides the content that is delivered by the compromised sites.

The research also noted that the most frequently poisoned search terms that reveal Gootloader are targeting corporate internet users rather than consumers.

Sophos recommends that individual internet users also lookout for the following warning signs:

  • Search results that point to websites for businesses that have no logical connection to the advice they appear to offer
  • Advice that precisely matches the search terms used in the initial question
  • A “message board”-style page that features text and a download link that also precisely matches the search terms used in the initial Google search.

Sophos Intercept X protects users by detecting the actions and behaviors of malware like Gootloader, such as the delivery of Cobalt Strike or the use of its process hollowing techniques to inject malware onto a running system.