A five-plus-year-old malware is putting user data at risk by gaming Google and other search engines. According to security firm Sophos, the trojan’s functionality is usually set around banking credential theft, but “much effort” has gone into the improvement of how it’s delivered to users in recent years. “In the past, Sophos and other security experts have bundled the discussion of the malware itself with analysis of the delivery mechanism, but as this method has been adopted to deliver a wider range of malicious code, we assert that this mechanism deserves scrutiny (and its own name), distinct from its payload, which is why we’ve decided to call it Gootloader,” the firm said, talking about the new method.
Under the new method, the hackers behind Gootloader maintain a “network” of roughly 400 servers and websites, which game the search engine algorithm to appear on top of certain searches. Sophos noted that these websites appear on top of specific and very narrow searches, leading people to the websites, which look completely legitimate.
Surprisingly, the websites seem to appear on top of searches even when they don’t actually relate to them. Sophos cited one example where a neonatal medical practice based in Canada was showing up on top of a search related to real estate. “Google itself indicates the result is not an ad, and they have known about the site for nearly seven years. To the end user, the entire thing looks on the up-and-up,” the security firm said in its blog post.
Visitors to these websites receive a “direct download link”, which puts a .zip file with the same file name as the original search on their computers. This file contains a compressed file with a .js extension that is the initial infector. “Everything that happens after the target double-clicks this script runs entirely in memory, out of the reach of traditional endpoint protection tools,” the firm said.
The firm didn’t indicate what data the malware is stealing, or how it exactly affects the user. However, it said search engines could monitor this since the malware “games” their algorithms in order to appear on search results in the first place. It also advised users to enable file extensions on their Windows PCs in order to spot files with a .js extension and be wary of them.