Ransomware reaches the big headlines, due to the huge blackmail demands that usually come at the end of ransomware attacks.
In fact, the word “rescue” only expresses half of the drama these days, because modern ransomware attacks often involve thieves making copies of all your data before encrypting it.
The offenders then demand a combined payment, a ransom portion and a portion of the money.
Not only do you pay for local copies of your data not to be encrypted, but you also pay for a promise from thieves that they will delete all data you just stole instead of posting it to the public.
But what about the onset of a ransomware attack?
Technically, it’s often much more interesting, and often also more important, since many ransomware attacks are just the final blow to your network at the end of what could have been a prolonged attack for days, weeks, or even months.
Given the danger that comes up as soon as thieves sneak into your network, it’s as important to know how malware is distributed in the first place as it is to know what happens to your files when ransomware finally scrambles them.
With that in mind, SophosLabs has just released an intriguing report on a dubbed malware distribution ecosystem Gootloader.
You may have heard of Gootkit, a name given to the family of malware that includes Gootloader, because it has been around for several years.
But SophosLabs decided to give the initial delivery mechanism its own name and study it in its own right:
Gootkit’s malware family has been around for more than half a decade – a mature Trojan with features focused on stealing bank credentials. In recent years, almost as much effort has been made in improving its delivery method as in NodeJS-based malware itself.
In the past, Sophos and other security experts had included the discussion of malware with the delivery mechanism analysis, but since this method has been adopted to offer a wider range of malicious code, we claim that this mechanism it deserves a control (and its own name), different from its payload, which is why we decided to call it Gootloader.
The report goes into the kind of detail worth knowing about if you’re interested in how modern malware is embedded and spread within a network, including a discussion of so-called “no-file” attacks.
The term fileless attack it is a bit misnamed, because “fileless” malware often involves at least one physical file to start the malware and can also rely on several intermediate files along the way. But fileless malware is completely similar to normal software in the way it works. Well-behaved software usually installs its executable code in a standalone hard drive directory, uses the registry to save settings, and relies on the operating system to load the various software modules into memory and keep them under control. . Fileless malware violates these conventions (ironically, it often uses the registry as a clever site to store obscure versions of its executable code), loading malicious code directly into memory to avoid the usual tools used by administrators. systems to control the system if any and unwanted processes.
Look for traitors
Even if you’re not an assembly language expert or malware analyst, it’s worth reading the SophosLabs document to describe how Gootloader criminals attract users with good intentions to install Gootloader malware.
Simply put, the thief plays with the Google search engine, fooling Google into treating hacked websites as reliable sources and presenting seemingly “perfect matches” to innocent users in their search queries.
(As far as we can tell, this gang has focused their efforts on poisoning Google searches, but the following tricks could also be used against other search engines.)
The report explains the process in detail, but we will summarize it here:
- Thieves hack into hundreds of innocent web servers and deploy artificially generated content that contains phrases that search engines are likely to associate with experience in a specific field. Examples include real estate, labor law, import / export regulations, business associations and more.
- From time to time, thieves are lucky and one or more of its hacked sites becomes one of Google’s top hits, thanks to a specific search term introduced by an innocent user. There is a good chance that the user will click on the Google link that appears, as the search success seems like a natural result, as it is not a paid ad or a sponsored link.
- If the user clicks on the hacked server, the thieves acknowledge that the click occurred through a Google search using the file
Referer:header (yes, this header name was misspelled in the original specification) in the web request. The server deliberately sends a fraudulent web page that looks like a message board where someone has recently requested the same. - The fake message board page includes the “question” above, along with what appears to be a response from a site administrator recommending a download link that answers this question. To make the page look even more compelling, there is another answer, apparently from the original questioner, who thanks the admin for their quick and helpful response.
SophosLabs has encountered fake Gootloader message board pages in several languages, including English, German, French, and Korean, with different campaigns targeting different regions.
Here is an example in English of the newspaper, where the unfortunate visitor had looked for information along the line intercompany settlement agreement (chart) alberta:
A plaque of plausibility
As you can see, the search term doesn’t naturally fit the text of the kettle used by Gootloader thieves, but it seems realistic enough at a glance.
The “happy user” thank-you vote, along with the fact that the data marks are recent, give the content true credibility.
The title of the “message board” website that is presented, the download link that appears, and the name of the file that is offered for download are constructed from the search phrase in order to make the page fake. it looks like a perfect fit for the consultation.
Note that even though the hacked site displays the malicious download link, the same link points to a different download server.
Suppose thieves use this two-step approach to prevent Gootloader malware from appearing on the hacked site, which helps the hacked site maintain a clean reputation for much longer than it might otherwise. .
What to do?
- Stop. Think. Connect. This search poisoning trick works because the website you visit seems to fit your search perfectly, which seems like an excessive coincidence that a criminal has anticipated it in advance. But if you look closely at the imposter’s page, you should notice that this is a carefully constructed setup designed to look like casual luck. Remember the cybersecurity statement: “If it sounds too good to be true, it’s too good to be true.”
- Use an antivirus with an integrated web filter. A search poisoning subterfuge like this provides your web filter with not one, but three possibilities for detecting betrayal. It will proactively prevent this attack by blocking the first click on the hacked site or the second click on the download URL or the final download, even before the malicious software reaches your computer dangerously.
- Use an antivirus with in-memory protection features in memory. Don’t just rely on file-based scanning and detection. Increase your protection with behavioral control tools that can detect programs that start harmlessly but return maliciously to memory after running, seemingly innocently, for a while.
- Tell Windows to show the file extensions. The Gootloader samples described in the report arrive as a compressed JavaScript program file within a ZIP file. With file extensions disabled, JavaScript programs do not have the revealing bookmark
.JSat the end of the file name and appear with an icon that looks like a scroll of parchment. This makes it easy to identify them as harmless text files.
To tell Windows to show the file extensions, go to File Explorer, click the button I will see in the menu bar and activate the option File name extensions. If the Explorer window is narrow, you may need to open the file Show / hide first tab.
