Google SEO algorithm tricked by malware to legitimise fake sites

It is actively delivering malicious payloads through highly-focused campaigns in the US, South Korea and Germany

A five-year old malware strain is tricking Google's famed Search Engine Optimisation (SEO) algorithm into believing that fake sites are legitimate, thereby enabling such sites to climb to the top of search results.

That's according to security researchers at Sophos who state that the Gootloader malware loader, previously used by hackers to distribute the Gootkit malware family, has undergone a "renaissance" when it comes to payload delivery.

Gootkit malware has been around for the past five years, and its main functionality is usually set around banking credential theft. However, it appears that Gootkit operators have put in significant effort in recent years to improve the technique to deliver malware into users' systems.

The Sophos researchers said the platform is actively delivering malicious payloads through highly focused operations in the US, South Korea and Germany.

"Gootloader uses malicious search engine optimisation techniques to squirm into Google search results. The way it accomplishes this task deserves some discussion, because it centres as much around technology as human psychology," the researchers said in a blog post.

They estimate that the hackers behind Gootloader are currently running a network of about 400 servers that serve hacked versions of genuine websites and mislead the SEO algorithm to appear on top of some specific searches.

To illustrate the effectiveness of the new malware delivery mechanism, researchers cited one example where a legitimate (but hacked), neonatal medical practise based in Canada showed up on the top of a search related to a real estate agreement.

Clicking the link leads people to a fake forum page, which shows a message from the "admin" and a link to a direct download. If the user clicks the download link, a zip file with the same name as the original search is downloaded on the system.

This zip file contains the initial infector - a file with a .js extension. When the user double-clicks the file, it starts running in the memory and initiates the next stage of compromise.

The security firm didn't reveal how the malware affects the user or what data it is stealing from infected systems. However, it did say that Gootloader is currently delivering Cobalt Strike, a post-exploitation tool, in the US and South Korea and Kronos financial malware in Germany. It has also delivered REvil ransomware and the Gootkit trojan itself.

Sophos advises users to enable file extensions on their Windows PCs to spot files with a .js extension and to be cautious about them.

"In the end, it's up to the search engines, whose algorithm the malware games to get a high search result, to address the initial attack vector," the researchers said.

"Users can be trained to do things like enable visible file suffixes in Windows, so they can see they're clicking a file with a .js extension, but they can't choose which search results appear near the top of the list or how those sites get manipulated by threat actors," they added.