Sophos released a report yesterday detailing “Gootloader,” the JavaScript-based infection framework, and how it is currently abusing search engine optimization (SEO) to infect its victims. Gootloader is current targeting victims in France, Germany, North America and South Korea. Through the SEO abuse, the actors behind Gootloader can make legitimate but compromised websites appear in Google search results. These sites often have little or nothing to do with the search query but can appear to be legitimate results at first glance. In an example provided by Sophos, a site for a Canadian-based neonatal medical practice is the first search result but clicking on the result loads a fake forum page appearing to have the site’s administrator answer a question with a link that leads to malware.
Source: Sophos
Visitors clicking on the offered “answer” end up downloading a zip archive containing a JavaScript file, both named to match the original search query. Many of the infected sites are running WordPress, but it is currently unclear how the actors are compromising them. Sophos estimates that the actors currently maintain roughly 400 compromised sites to deliver the malware.
Analyst Notes
WordPress administrators should regularly check plugins and WordPress itself for available security updates. Care should be taken to only install plugins as needed, uninstalling them, rather than only disabling, when they are no longer used. Site or server administrators can also employ directory monitoring to quickly alert on any unauthorized changes to the directory where a website is being served from. By filtering out any directories specifically created for file uploads, there should be few false positive alerts.
