SEO, known as Search Engine Optimization is used by webmasters in a legitimate way and aims to increase a website’s exposure on different search engines, like Google or Bing, but now it looks like threat actors are tampering with the content management systems of websites in order to be able to serve financial malware, exploit tools, and also ransomware

What you need to know about “Gootloader”?

This technique relies on the deployment of the infection framework for the Gootkit Remote Access Trojan (RAT) which also delivers a variety of other malware payloads. 

“The so-called search engine “deoptimization” method includes both SEO tricks and the abuse of human psychology to push websites that have been compromised up Google’s rankings.”


How does it spread?

When doing a specific Google search, the user clicks on a link that has been modified and now has nothing to do with their initial specific search, only looks like it does. 

On this page, the user may have a “direct download link” provided, that when downloaded gives the user a .zip archive file with a filename that exactly matches the search query terms used in the initial search. 

This is a .js file and it represents the initial infector, and the only point when the malicious file is written into the filesystem, after this everything that will happen will run entirely in the machine’s memory, being hidden and therefore not noticeable by the traditional endpoint protection tools.

Where does SEO come into play?

First of all you should know that using SEO as a technique to deploy Gootkit RAT is not an easy or small operation. From the research made, an estimate of 400 or more network servers are needed for the deployment to be successful. 

For the time being it is not sure that a particular security exploit is used to compromise the domains, so it’s believed that the CMS running the backend of the websites might have been hijacked through malware, stolen credentials, or just plain brute-force attacks. 

What happens after the attackers have gained access?

Once the threat actors have obtained access, a few lines of code are inserted into the body of website content. Checks based on IP and location are performed in order to see if the victim represents any interest as a target.

At this point it does not matter how the attackers gained access to the websites. It’s important to know that from this point on they will insert a few additional lines of code into the body of the web page. 

“If the right conditions are met (and there have been no previous visits to the website from the visitor’s IP address), the malicious code running server-side redraws the page to give the visitor the appearance that they have stumbled into a message board or blog comments area in which people are discussing precisely the same topic.”


It’s also quite interesting to notice that Gootloader has moved as much of its infection infrastructure to a “fileless” methodology, though not completely fileless, the technique in question is quite effective at evading detection over a network.

How to stay safe?

Heimdal Official Logo
Your perimeter network is vulnerable to sophisticated attacks.

Heimdal® Threat Prevention - Network

Is the next-generation network protection and response solution that will keep your systems safe.
  • No need to deploy it on your endpoints;
  • Protects any entry point into the organization, including BYODs;
  • Stops even hidden threats using AI and your network traffic log;
  • Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Maybe you can recognize some signals of nefarious activity, but even trained people can easily be fooled by the chain of social engineering tricks Gootloader’s creators use. 

Better stay safe and use an integrated threat prevention solution. 

Leave a Reply

Your email address will not be published. Required fields are marked *