Website admins should patch all plugins, WordPress itself and back-end servers as soon as possible.
The downloader malware known as Gootloader is poisoning websites globally as part of an extensive drive-by and watering-hole cybercampaign that abuses WordPress sites by injecting them with hundreds of pages of fake content.
The adversaries have so far delivered the Cobalt Strike intrusion tool, the Gootkit banking trojan or the REvil ransomware, according to a forensic analysis.
Researchers with eSentire spotted a Gootloader campaign in December, infiltrating dozens of legitimate websites involved in the hotel industry, high-end retail, education, healthcare, music and visual arts, among others. All of the compromised sites run on WordPress.
“The threat actors’ end game is to infect business professionals, speaking English, German and Korean,” according to a posting on the campaign, issued Thursday. “Their modus operandi is to entice a business professional to one of the compromised websites, and then have them click on a link, leading to Gootloader, which attempts to retrieve the final payload, whether it be ransomware, a banking trojan or intrusion tool/credential stealer.”
Watering-Hole Attacks
In performing incident response at a law firm, eSentire analysts saw malicious code being written to the Windows Registry – a common, fileless malware tactic. Upon further investigation, the infection turned out to have stemmed from an employee who “was searching the internet for sample business agreements dealing with physician assistants (PAs) practicing medicine in California.”
The employee found a top-ranked web page purporting to be a Q&A forum, which referenced a link to a sample agreement for PAs working in California; but, when the person attempted to open the so-called “document,” it executed Gootloader.
In another incident, an employee of a consulting firm was searching the web for the Paris Agreement – the international treaty on climate change. When the consultant attempted to download the agreement from a legitimate site, the person received Gootloader instead.
Yet another incident involved an employee of another legal firm specializing in the healthcare industry. This time the employee had searched the web for the Ucc-1 subordination agreement, an agreement pertaining to loans under the Uniform Commercial Code. The Gootloader malware in this case was hosted on an addiction recovery center’s website.
Upon investigation, it turns out that near-identical campaigns using the same Q&A forum baiting technique were uncovered in October by the South Korean cybersecurity firm CheckMal (targeting Korean speakers); and in November by Malwarebytes (targeting German speakers).
Meanwhile, research from Sophos earlier this week detailed Gootloader’s evolution to delivering multiple types of payloads, including ransomware and Cobalt Strike.
Compromised WordPress Sites
In all, eSentire uncovered several dozen WordPress sites which had been compromised in order to spread the attacks. In all cases, the sites were loaded up with bogus blog pages.
It’s unclear how the sites were initially compromised, eSentire said; but, it could have happened via a vulnerable plugin; or, the WordPress website simply may not have been patched, researchers noted. It’s also possible that attackers infiltrated via an insecure server.
In any event, the sites’ content had been tampered with and added to, while injected with malicious code, starting around December.
“The compromised WordPress sites were injected with tens to hundreds of blog posts,” researchers explained.
Several features were standard across the injected blog posts, analysts found; for instance, the title of all of them contained the word “agreement.”
“This title did not always relate to a meaningful agreement,” according to the investigation. “For example, it sometimes included just a web domain as the title, that happened to have the word ‘agreement’ in it.”
The content also consisted of complete sentences pertaining to the subject of law, placed in random, nonsensical order, according to the posting. When visited by security infrastructure and virtual machines (VMs), these injected gobbledygook blog posts are visible – but when the attackers’ back-end server detects a potential victim, the blog post itself is hidden behind the previously mentioned fake forum posts. Those overlays serve up the malicious links leading to Gootloader.
“Exact Google searches of [blog post] sentences led to more compromised blogs, as well as some legitimate source content,” they said. “[We have] not yet discovered two blogs with the exact same content.”
And finally, all injected blog posts on a given compromised website were spread across the month of December.
“As such, they sometimes appeared in an injected /2020 directory, if not an injected /2020/12 directory,” researchers explained. “Variations in the directory’s structure were likely due to the underlying structure of the legitimate WordPress site.”
“The compromised websites served as a foundation for the Gootloader campaign, providing malicious hosting and search-engine optimization (SEO) to the threat actors,” according to the posting. “This allowed the threat actors to deliver arbitrary, malicious payloads to unsuspecting business professionals.”
How to Avoid Being Hijacked by Gootloader
The unfortunate reality with these kinds of attacks is that because the malicious content is being hosted on legitimate websites, it’s difficult to identify the threat as an average website surfer. In order to avoid becoming a victim of such campaigns, victims should pay attention to what they’re downloading from the internet, according to eSentire.
“If you download a document from the Internet but you are served a JavaScript file, do not open it,” according to researchers. “Even legitimate Word and Excel documents from the internet can lead to loader malware.”
Admins can also use Windows Attack Surface Reduction rules to block JavaScript and VBscript from launching downloaded content; and
User awareness training about how to inspect a full URL before downloading files to ensure it matches the source (e.g., Microsoft Teams should come from a Microsoft domain) is always a good idea.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community: