New GootLoader Campaign Targets Users Searching for Bengal Cat Laws in Australia

Avatar
In an unusually specific campaign, users searching about the legality of Bengal Cats in Australia are being targeted with the GootLoader malware. “In this case, we found the GootLoader actors using search results for information about a particular cat and a particular geography being used to deliver the payload: ‘Are Bengal Cats legal in Australia?,'” Sophos researchers Trang Tang, Hikaru Koike,

In an unusually specific campaign, users searching about the legality of Bengal Cats in Australia are being targeted with the GootLoader malware.

“In this case, we found the GootLoader actors using search results for information about a particular cat and a particular geography being used to deliver the payload: ‘Are Bengal Cats legal in Australia?,'” Sophos researchers Trang Tang, Hikaru Koike, Asha Castle, and Sean Gallagher said in a report published last week.

GootLoader, as the name implies, is a malware loader that’s typically distributed using search engine optimization (SEO) poisoning tactics for initial access.

Specifically, the malware is deployed onto victim machines when searching for certain terms like legal documents and agreements on search engines like Google surface booby-trapped links pointing to compromised websites that host a ZIP archive containing a JavaScript payload.

Once installed, it makes way for a second-stage malware, often an information stealer and remote access trojan dubbed GootKit, although it has also been observed delivering other families such as Cobalt Strike, IcedID, Kronos, REvil, and SystemBC in the past for post-exploitation.

The latest attack chain is no different in that searches for “Do you need a license to own a Bengal cat in Australia” surface results that include a link to a legitimate-but-infected website belonging to a Belgium-based LED display maker, from where victims are prompted to download a ZIP archive.

Present within the ZIP archive is a JavaScript file that’s then responsible for kicking off a multi-stage attack chain that culminates in the execution of a PowerShell script capable of harvesting system information and fetching additional payloads. It’s worth noting that an identical campaign was documented by Cybereason earlier this July.

Sophos said it did not observe the deployment of GootKit in the case the company analyzed, thereby preventing the download of additional malware.

“GootLoader is one of a number of continuing malware-delivery-as-a-service operations that heavily leverage search results as a means to reach victims,” the researchers said. “The use of search engine optimization, and abuse of search engine advertising to lure targets to download malware loaders and dropper, are not new—GootLoader has been doing this since at least 2020.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

The ROI of Security Investments: How Cybersecurity Leaders Prove It

Next Post

THN Recap: Top Cybersecurity Threats, Tools, and Practices (Nov 04 – Nov 10)

Related Posts

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 21 – Oct 27)

Cybersecurity news can sometimes feel like a never-ending horror movie, can't it? Just when you think the villains are locked up, a new threat emerges from the shadows. This week is no exception, with tales of exploited flaws, international espionage, and AI shenanigans that could make your head spin. But don't worry, we're here to break it all down in plain English and arm you with the
Avatar
Read More

5 BCDR Oversights That Leave You Exposed to Ransomware

Ransomware isn’t just a buzzword; it’s one of the most dreaded challenges businesses face in this increasingly digitized world. Ransomware attacks are not only increasing in frequency but also in sophistication, with new ransomware groups constantly emerging. Their attack methods are evolving rapidly, becoming more dangerous and damaging than ever. Almost all respondents (99.8%) in a recent
Avatar
Read More