A Security Team Is Turning This Malware Gang’s Tricks Against It


Certain cybercriminal groups like ransomware gangs, botnet operators, and financial fraud scammers get specific attention for their attacks and operations. But the larger ecosystem that underlies digital crime includes an array of actors and malicious organizations that essentially sell support services to these criminal customers. Today, researchers from security firm eSentire are revealing their methods for disrupting the operations of one longtime criminal enterprise that compromises businesses and other organizations and then sells that digital access to other attackers.

Known as an initial-access-as-a-service operation, the Gootloader malware and the criminals behind it have been compromising and scamming for years. The Gootloader gang infects victim organizations and then sells access to deliver a customer’s preferred malware into the compromised target network, whether that’s ransomware, mechanisms for data exfiltration, or other tools to compromise the target more deeply. From tracking Gootloader page data, for example, the eSentire researchers collected evidence that the notorious Russia-based ransomware gang REvil regularly worked with Gootloader between 2019 and 2022 to gain initial access to victims—a relationship that other researchers have noticed as well.

Joe Stewart, eSentire’s principal security researcher, and senior threat researcher Keegan Keplinger designed a web crawler to keep track of live Gootloader web pages and formerly infected sites. Currently, the two see about 178,000 live Gootloader web pages and more than 100,000 pages that historically appear to have been infected with Gootloader. In a retrospective advisory last year, the United States Cybersecurity and Infrastructure Security Agency warned that Gootloader was one of the top malware strains of 2021 alongside 10 others.

By tracking Gootloader’s activity and operations over time, Stewart and Keplinger identified characteristics of how Gootloader covers its tracks and attempts to evade detection that defenders can exploit to protect networks from being infected.

“Digging deeper into how the Gootloader system and malware works, you can find all these little opportunities to impact their operations,” Stewart says. “When you get my attention I get obsessed with things, and that’s what you don’t want as a malware author is for researchers to just completely dive into your operations.”

Out of Sight, Out of Mind

Gootloader evolved from a banking trojan known as Gootkit that has been infecting targets primarily in Europe since as early as 2010. Gootkit was typically distributed through phishing emails or tainted websites and was designed to steal financial information like credit card data and bank account logins. As a result of activity that began in 2020, though, researchers have been tracking Gootloader separately because the malware delivery mechanism has increasingly been used to distribute an array of criminal software, including spyware and ransomware. 

The Gootloader operator is known for distributing links to compromised documents, particularly templates and other generic forms. When targets click the links to download these documents they unintentionally infect themselves with Gootloader malware. To get targets to initiate the download, attackers use a tactic known as search-engine-optimization poisoning to compromise legitimate blogs, particularly WordPress blogs, and then quietly add content to them that includes malicious document links. 

Gootloader is designed to screen connections to tainted blog posts for a number of characteristics. For example, if someone is logged in to a compromised WordPress blog, whether they have administrator privileges or not, they will be blocked from seeing the blog posts containing the malicious links. And Gootloader goes so far as to also permanently block IP addresses that are numerically close to the address logged in to a relevant WordPress account. The idea is to keep other people in the same organization from seeing the malicious posts.

By focusing on hijacking blogs centered on particular topics, attackers can narrow their potential victim pool to target certain industries or sectors. For example, one Gootloader focus has been on targeting corporate legal departments and law firms by compromising relevant blogs and advertising their malicious documents as templates for “contracts” or other “legal agreements.” So far in 2023 alone, eSentire says it has remediated Gootloader infections at 12 different victim organizations, seven of which were law firms.

“Gootloader is kind of the last big one focusing on this, and their SEO poisoning is actually pretty unique,” Keplinger says. “They’ll spin up like 100 different agreement or contract phrasings on each of these domains that they infect, so there are in the tens of thousands of different iterations of these legal statements. When you’re selling sneakers, you have to compete with every other person using the word ‘sneakers’ in their SEO. But with this, you’re just competing with somebody using that exact legal phrasing, and that’s going to give you very little competition.”

In addition to blocking blog operators from seeing malicious pages, the Gootloader operation relies on a broader blocking system to cultivate victim pools by region while attempting to evade detection in others. For example, attackers set the system so it will only distribute the Gootloader malware to people in certain countries, which currently include the United States, Canada, the United Kingdom, and Australia. If you click one of the malicious links from an IP address associated with another country, you won’t get the malware. Likewise, Gootloader only targets Windows devices, so it won’t distribute if metrics from your browser indicate that you’re on another type of device.

One Simple Trick

Crucially, the system is also designed so users can only download the malware once per day. That way, if a device gets infected and then IT or security staff go through the browsing history and look at the malicious page again, they’ll only see the fake blog post. Stewart and Keplinger realized this Gootloader defense mechanism could also be used against it.

“This is kind of a weakness,” Stewart says. “They’re trying to keep researchers and security teams from being able to view this page, but they rely on these infected blogs to tell them the IP addresses that visit. So what we can do is pretend to visit their payload page as any IP address on the internet, and we can get that IP address blocked, so now we can selectively keep anybody from seeing Gootloader just by hitting that page once a day. We can potentially protect wide swaths of the internet.”

Stewart and Keplinger say they debated speaking publicly about their findings because they know it will likely result in the Gootloader gang changing the design of their system. But they say they decided to come forward to raise awareness more broadly. This way, more defenders can learn about the current options for protecting IP addresses, and an expanded set of malware monitoring services can start to flag Gootloader-infected pages. And if the attackers eliminate their block lists, the researchers point out that it will just make samples of the malware more readily available so scanners can add more detections.


Please enter your comment!
Please enter your name here

Share post:




More like this

“Even If You Do Monkey Style And Break Your Waist, You Will End Up Like Others” – Sonia Ighalo

Sonia Ighalo, the estranged wife of Nigerian footballer, Odion...

OPINION: An End And A New Beginning For Nigeria

  May 31, (THEWILL) – Yesterday, Asiwaju Bola Ahmed Tinubu,...

Minnesota Gov Walz says train containing hazardous materials derailed near Lancaster

A Canadian Pacific train carrying hazardous materials derailed near...

Pistons, Monty Williams agree to largest coaching deal in NBA history: report

The Detroit Pistons are reportedly set to give Monty...