A Security Team Is Turning This Malware Gang’s Tricks Against It

Certain cybercriminal groups like ransomware gangs, botnet operators, and financial fraud scammers get specific attention for their attacks and operations. But the larger ecosystem that underlies digital crime includes an array of actors and malicious organizations that essentially sell support services to these criminal customers. Today, researchers from security firm eSentire are revealing their methods for disrupting the operations of one longtime criminal enterprise that compromises businesses and other organizations and then sells that digital access to other attackers.

Known as an initial-access-as-a-service operation, the Gootloader malware and the criminals behind it have been compromising and scamming for years. The Gootloader gang infects victim organizations and then sells access to deliver a customer’s preferred malware into the compromised target network, whether that’s ransomware, mechanisms for data exfiltration, or other tools to compromise the target more deeply. From tracking Gootloader page data, for example, the eSentire researchers collected evidence that the notorious Russia-based ransomware gang REvil regularly worked with Gootloader between 2019 and 2022 to gain initial access to victims—a relationship that other researchers have noticed as well.

Joe Stewart, eSentire’s principal security researcher, and senior threat researcher Keegan Keplinger designed a web crawler to keep track of live Gootloader web pages and formerly infected sites. Currently, the two see about 178,000 live Gootloader web pages and more than 100,000 pages that historically appear to have been infected with Gootloader. In a retrospective advisory last year, the United States Cybersecurity and Infrastructure Security Agency warned that Gootloader was one of the top malware strains of 2021 alongside 10 others.

By tracking Gootloader’s activity and operations over time, Stewart and Keplinger identified characteristics of how Gootloader covers its tracks and attempts to evade detection that defenders can exploit to protect networks from being infected.

“Digging deeper into how the Gootloader system and malware works, you can find all these little opportunities to impact their operations,” Stewart says. “When you get my attention I get obsessed with things, and that’s what you don’t want as a malware author is for researchers to just completely dive into your operations.”

Out of Sight, Out of Mind

Gootloader evolved from a banking trojan known as Gootkit that has been infecting targets primarily in Europe since as early as 2010. Gootkit was typically distributed through phishing emails or tainted websites and was designed to steal financial information like credit card data and bank account logins. As a result of activity that began in 2020, though, researchers have been tracking Gootloader separately because the malware delivery mechanism has increasingly been used to distribute an array of criminal software, including spyware and ransomware. 

The Gootloader operator is known for distributing links to compromised documents, particularly templates and other generic forms. When targets click the links to download these documents they unintentionally infect themselves with Gootloader malware. To get targets to initiate the download, attackers use a tactic known as search-engine-optimization poisoning to compromise legitimate blogs, particularly WordPress blogs, and then quietly add content to them that includes malicious document links. 

Gootloader is designed to screen connections to tainted blog posts for a number of characteristics. For example, if someone is logged in to a compromised WordPress blog, whether they have administrator privileges or not, they will be blocked from seeing the blog posts containing the malicious links. And Gootloader goes so far as to also permanently block IP addresses that are numerically close to the address logged in to a relevant WordPress account. The idea is to keep other people in the same organization from seeing the malicious posts.