Overview

Active since 2018, GootLoader is a malware downloader that can deliver secondary payloads such as Cobalt Strike, REvil ransomware, Gootkit, BlueCrab and the Kronos trojan. The malware’s primary method of distribution is conducted via search engine optimisation (SEO) poisoning techniques, including the use of sponsored search engine links. Accessing one of these links will direct victims to legitimate but compromised WordPress sites that host the malware contained within a .ZIP file.

Recent targeting trends show that the malware has been observed in attacks against law firms in the US, Canada, the UK, and Australia. This suggests that the malware is more likely to be incorporated with sponsored search engine adverts mimicking sites of interest for those operating within the law industry such as search results for legal documents and agreements.

Historic reporting indicates that Gootloader was primarily used to deploy ransomware, however, recent examples of the malware’s use has not involved the deployment of ransomware, suggesting a potential shift in operations and motivation by threat actors towards cyber espionage activities.