Sophos researchers have detailed a malware campaign targeting users searching Google for the legality of Bengal cats in Australia.
The campaign leverages Google search engine to distribute a malicious payload known as Gootloader, which has evolved significantly since its initial use by notorious cybercriminals associated with ransomware and banking trojan.
Through this campaign, attackers were creating fake websites and content related to Bengal cats in order to lure in their target audience. These malicious sites would then rank highly in Google search results for relevant queries, increasing the chances of victims stumbling upon them.
Once a user clicks on one of the compromised search results, they are directed to a website that appears to contain legitimate information about Bengal cats. However, hidden within the site’s code is a Gootloader script that silently infects the user’s device.
Gootloader malware follows a multi-stage payload delivery mechanism, which helps improve the malware’s stealth and ability to execute cyberattacks.
- Initial Infection: When a victim visits the websites, the Gootloader script injects a minimal first-stage payload onto the system. This initial payload is highly obfuscated and only performs basic reconnaissance tasks, such as gathering information about the target system.
- Staging the Payload: The first-stage payload then communicates with the attacker’s C2 server to retrieve the next stage of the malware. This second-stage payload is more complex and contains the core functionality of the Gootloader, such as the ability to download and execute additional malware.
- Executing the Attack: Once the full Gootloader payload is delivered and executed, it can proceed with the final stages of the attack. This may involve downloading and installing other malware, stealing sensitive data, or performing other malicious actions.
The report highlights the sophistication and adaptability of modern malware campaigns, as well as the importance of vigilance and proactive security measures to protect against such threats.
Indicators of Compromise
- hxxps[://]ledabel[.]be/en/are-bengal-cats-legal-in-australia-understanding-the-laws-and-regulations/#:~:text=In%20most%20cases%2C%20you%20do,a%20Bengal%20cat%20in%20Australia”
- hxxps[://]www[.]chanderbhushan[.]com/doc[.]php
- hxxps[://]serviciilaser[.]ro/xmlrpc.php
- hxxps[://]metropole[.]com[.]au/xmlrpc.php
- hxxps[://]fannisho[.]com/xmlrpc.php
- hxxps[://]gobranded[.]com/xmlrpc.php
- hxxps[://]climatehero[.]me/xmlrpc.php
- hxxps[://]wyantgroup[.]com/xmlrpc.php
- hxxps[://]rkbaienfurt[.]de/xmlrpc.php
- hxxps[://]beezzly[.]com/xmlrpc.php
- hxxps[://]playyourbeat[.]com/xmlrpc.php
- hxxps[://]wowart[.]vn/xmlrpc.php
- ea781eef1da03ea2c3b5250ce26b00445d8a5123bbb0575c583211cca53c61db
- 9a7e79d4ff235feb12672979dfc073d2b4572233772ae500ef6b69c670a9820e
