HQ/EMEAFind out how we can help your business
A newly discovered GootLoader malware campaign is currently targeting users looking for information on the legality of Bengal cats in Australia. Researchers claimed this is an extremely targeted campaign as it prioritises targeted individuals looking for a specific topic.
Based on reports, the GootLoader operators search for information about a particular cat and deliver the payload from a specific geography. Some of its lures include the phrase ‘Are Bengal Cats Legal in Australia?’
The malicious payload is a malware loader that threat actors commonly deploy through search engine optimisation (SEO) poisoning strategies to gain initial access.
GootLoader malware operators could initiate their infection process once they deceive a user using a search engine to find a specific law about a particular topic.
This campaign depends on victims searching for specific terms, such as legal documents and agreements, on search engines such as Google.
They use this opportunity to redirect targeted individuals using booby-trapped links to compromised websites hosting a ZIP archive carrying a JavaScript payload surface.
Once installed, it enables its operators to deliver second-stage malware, most commonly an information stealer and remote access trojan known as GootKit. However, separate research claimed that the loader has previously delivered other malware families such as Cobalt Strike, IcedID, Kronos, REvil, and SystemBC for post-exploitation.
The GootLoader campaign uses keywords or phrases, such as ‘Do you need a licence to own a Bengal cat in Australia?’ Once users search for this topic, the attackers can execute their SEO poisoning strategy to serve malicious links that redirect users to a bogus website.
These alleged websites might seem legitimate, but they are infected websites belonging to a Belgian LED display manufacturer. Victims are then requested to download a ZIP extract from them.
The ZIP archive contains a JavaScript file, which initiates a multi-stage attack chain that ends in executing a PowerShell script capable of harvesting system information and retrieving additional payloads.
However, researchers have yet to observe the deployment of GootKit in the case despite it being a seemingly legitimate GootLoader campaign. Australians who are into felines or want to own a specific should know that there is a current specially-made cybercriminal operation that targets them. Therefore, avoid searching online for these topics or downloading files from sites that include such subjects.
