Dangerous malware steals user passwords -
Sophos cybersecurity researchers have just uncovered a new, highly sophisticated malware delivery mechanism.
This is based on the use of Gootkit malware, a malware that is several years old, which has evolved to make it possible to position fraudulent sites at the top of Google's search results and thus infect many machines.
This new delivery mechanism, dubbed Gootloader, “uses malicious search engine optimization (SEO) techniques to sneak up on Google search results.
The way in which it accomplishes this task deserves some discussion, because it is centered as much on technology as on human psychology ”, thus indicate the researchers in their report.
But the dangerousness of the Gootloader campaign is not only based on the fact that it manages to make its sites climb in the search results.
The sites it highlights have the ability to adapt to the searches carried out by Internet users to display the exact answer to their question.
A real chameleon
The targets will naturally click on the link displayed in the first or second position.
Unfortunately, this can hide a download link for malware.
In other cases, the link points to a discussion thread on a completely legitimate looking forum.
Thereupon, the user will find the answer to his problem in the message of a so-called administrator who affirms that the solution is in his download link.
Obviously, again, this is malware.
“When someone types a question into a search engine like Google, hacked websites show up among the top results.
To ensure that targets from the correct geographies are captured (US, France, Germany, South Korea), adversaries rewrite website code "on the fly" so that website visitors who don't not from the desired countries see harmless web content, while those in the right place see a page with a bogus discussion or forum on the topic they queried.
The fake websites are visually identical, whether they are in English, German or Korean, ”the researchers detail, showing how sophisticated the campaign is.
The damage is done
Once the target downloads the malware, it acts in the shadows.
Depending on the region, the Gootloader malware downloads a different virus;
ransomware, Trojan horse, financial malware, etc.
“Fortunately, there are a few warning signs that internet users can look for.
These include Google search results that link to websites for businesses that have no logical connection to the advice they seem to offer;
advice that precisely matches the search terms used in the original question, ”the researchers further explain.
Search results that only show a download link with terms that perfectly match the search are also suspect.
By the Web
Cybercrime: How the 'World's Most Dangerous' Malware Got Caught
No data leakage during the cyberattack targeting the Mutuelle des hospitaliers