Ransomware makes headlines due to the huge demands for blackmail that normally reach the end of ransomware attacks.
In fact, the word “ransom” expresses only half of the drama today, because modern ransomware attacks often involve criminals making copies of all of your data before shuffling it.
The crooks then demand a combination of payment, part ransom and part secret money.
You are not only paying to get local copies of your messy data, but you are also paying for a promise by criminals that they will delete all the data they have just stolen, rather than releasing it to the public.
But what about starting a ransomware attack?
Technically, this is usually much more interesting – and often more important as well, since many ransomware attacks are just the final blow to your network at the end of what may have been a prolonged attack that lasted for days, weeks or even months.
Given the danger that arises as soon as criminals infiltrate your network, it is as important to learn how malware is distributed in the first place as to know what happens to your files when the ransomware finally shuffles them.
With that in mind, SophosLabs has just published an intriguing report on a malware distribution ecosystem called Gootloader.
You may have heard of Gootkit, a name given to the malware family of which Gootloader is a part, because it has been around for several years.
But SophosLabs decided to give the initial delivery mechanism a name of its own and study it on its own:
The Gootkit malware family has been around for more than half a decade – a mature Trojan with functionality centered on the theft of bank credentials. In recent years, almost as much effort has been made to improve its delivery method as NodeJS-based malware itself.
In the past, Sophos and other security experts have grouped the discussion of the malware itself with the analysis of the delivery mechanism, but since this method was adopted to deliver a wider range of malicious code, we claim that this mechanism deserves scrutiny (and its own name), different from its payload, so we decided to call it Gootloader.
The report presents the kind of detail that is worth knowing if you are interested in how modern malware incorporates and extends within a network, including a discussion of so-called “no file” attacks.
The term attack without file it’s a bit of an improper name, because “fileless” malware usually involves at least one physical file to launch the malware and can also depend on several intermediate files along the way. But fileless malware is totally different from normal software in the way it operates. Well-behaved software typically installs its executable code in a self-contained directory on your hard drive, uses the registry to save your configuration settings, and depends on the operating system to load its various software modules into memory and keep them under control. File-free malware violates these conventions (ironically, it tends to use the registry as a stealthy place to store obfuscated versions of its executable code), loading its malware code directly into memory to bypass the regular tools that system administrators use to monitor the system in search of something unexpected and unwanted processes.
Search betrayal
Even if you are not an assembly language expert or a malware analyst, it is worth reading the SophosLabs article for its description of how Gootloader criminals attract well-intentioned users to install Gootloader malware in the first place.
Simply put, crooks play Google’s search engine, tricking Google into treating hacked sites as trusted sources and presenting innocent users with “perfect matches” for their searches.
(As far as we can tell, this gang has focused its efforts on poisoning Google searches, but the tricks below can also be used against other search engines.)
The report explains the process in detail, but we’ll summarize it here:
- Criminals hack into hundreds of innocent web servers and deploy artificially generated content containing phrases that search engines are likely to associate with knowledge in a specific field. Examples include real estate, labor laws, import / export regulations, company partnerships and more.
- Every once in a while, the bad guys are lucky and one or its hacked sites appears as one of Google’s top hits, thanks to a specific search term entered by an innocent user. There is a good chance that the user will click on the Google link that appears, as the search hit looks like a natural result, since it is not a paid ad or a sponsored link.
- If the user clicks to access the hacked server, cheaters acknowledge that the click came through a Google search using the
Referer:header (yes, that header name was misspelled in the original specification) in the web request. The server deliberately sends a fraudulent Web page that looks like a message board on which someone else recently asked the same question. - The fake message board page includes the previous “question”, along with what appears to be a response from a site administrator recommending a download link that answers that question. To make the page even more convincing, there is another answer, apparently from the original questioner, thanking the administrator for his quick and useful answer.
SophosLabs found fake Gootloader message board pages in a variety of different languages, including English, German, French and Korean, with different campaigns targeting different regions.
Here is an example in English taken from the newspaper, in which the unfortunate visitor searched for information along the lines of intercompany settlement agreement (chart) alberta:
A veneer of credibility
As you can see, the search term doesn’t quite fit the cliché text used by the Gootloader swindlers, but it looks realistic enough at first.
The “happy user” vote of thanks, coupled with the fact that the date stamps are recent, gives the content a verisimilitude veneer.
The title of the displayed “message board” page, the download link that appears and the name of the file offered for download are all constructed from the search phrase to make the fake page look perfect for The question.
Note that although the hacked website displays the malicious download link, the link itself points to a different download server.
We are assuming that criminals are using this two-stage approach so that Gootloader’s own malware files do not appear on the hacked website, which helps the hacked website maintain a clean reputation for much longer than it could.
What to do?
- Stop. I think. To connect. This search poisoning trick works because the website you visit seems to fit your search perfectly, which seems too much of a coincidence for a con artist to have anticipated this. But if you look closely at the imposter’s page, you will see that it is a carefully constructed configuration, designed to look like a happy coincidence. Remember the cybersecurity saying: “If it sounds too good to be true, it is too good to be true!”
- Use an antivirus with a built-in web filter. A search poisoning subterfuge like this gives your web filter not one, but three chances to detect betrayal. It will proactively prevent this attack by blocking the first click on the hacked website, or the second click on the download URL, or the final download, even before the malware reaches your computer in a dangerous way.
- Use an antivirus with in-memory scanning protection features. Don’t just rely on file-based scanning and detection. Increase your protection with behavior monitoring tools that can detect programs that start out harmless but become malicious in memory after being run, seemingly innocently, for a while.
- Tell Windows to show you the file extensions. The Gootloader samples described in the report arrive as a JavaScript program file compressed into a ZIP file. With file extensions disabled, JavaScript programs do not have the revealing marker
.JSat the end of the file name, and they appear with an icon that looks like a scroll. This makes it easier to incorrectly identify them as harmless text files.
To tell Windows to show file extensions, go to File Explorer, Click on the To view item in the menu bar, then activate the option File name extensions. If the Explorer window is narrow, you may need to open the Appear hide guide first.
