How Gootloader expands its payload delivery systems
Gootloader employs a rather malicious SEO techniques to trick Google in order to alter search results, which search engine deoptimization serves as the first phase of the attack.
This is possible given that the operators of Gootloader maintain a network of servers hosting compromised legitimate websites, ostensibly belonging to legitimate business. And if visitors click on the link in the search result, they’re presented with a different site, which is a specific page that seems to answer their exact search question, using the same wording as the search query.
And after the target double-clicks this script, it runs entirely in memory, out of the reach of traditional endpoint protection tools.
What's Gootloader Mode of Operations?
How the operators of Gootloader gain access to these websites to serve the malicious injects remains unclear, but Sophos researchers suspect the attackers may have obtained the secret login details by installing the Gootkit malware or by the purchase of stolen credentials from underground markets.
Furthermore, the criminals tend to reuse their proven techniques instead of developing new mechanisms, rather than actively attacking endpoint tools like other malware distributors, the creators of Gootloader opt for evasive techniques that conceal the end result.