There has been an increase in the use of a JavaScript-based infection framework known as Gootloader for delivering malware payloads. Gootloader, as the name suggests, has been used to deliver the Gootkit banking Trojan, but also REvil ransomware, Cobalt Strike, and the Kronos Trojan via compromised WordPress websites.
The threat actors behind Gootloader compromise vulnerable WordPress websites and inject hundreds of pages of fake content, often totally unrelated to the theme of the website. A broad range of websites have been compromised across many industry sectors, including retail, education, healthcare, travel, music, and many more, with the common denominator that they all use the WordPress CMS.
It is not clear how the WordPress sites have been compromised. It is possible that the sites have not been updated to the latest WordPress version or had vulnerable plugins that were exploited. Legitimate admin accounts could be compromised using brute force tactics, or other methods used.
The content added to the compromised sites takes the format of forum posts and fake message boards, providing specific questions and answers. The questions are mostly related to specific types of legal agreements and other documents. An analysis of the campaign by eSentire researchers found most of the posts on the compromised websites contained the word “agreement”. The posts have a question, such as “Do I need a party wall agreement to sell my house?” with a post added below using the exact same search term that users can click to download a template agreement.
These pages have very specific questions for which there are few search engine listings, so when search engines crawl the websites, the content ranks highly in the SERPs for that specific search term. There may be relatively few individuals searching for these particular search terms on the likes of Google, but the majority of those that do are looking for a sample agreements to download.
The malicious file that the link directs the user to download is a JavaScript file, hidden inside a.zip file. If that file is opened, the rest of the infection process operates in the memory, beyond the reach of traditional antimalware solutions. An autorun entry is created that loads a PowerShell script for persistence, which will ultimately be used to deliver whatever payload the threat actor wishes to deliver.
The content added to the websites contains malicious code that displays the malicious forum posts only to visitors from specific locations, with an underlying blog post that at first appears legitimate, but mostly contains gibberish. The blog post will be displayed to all individuals who are not specifically being targeted.
The campaign is using black hat SEO techniques to get the content listed in the SERPs, which will eventually be removed by the likes of Google; however, that process may take some time.
Blocking these attacks requires a combination of security solutions and training. Downloading any document or file from the Internet carries a risk of a malware infection. Risk can be reduced by implementing a web filtering solution. Web filters will block access to websites that have been identified as malicious and will perform content analysis on new content. You can also configure a web filter to block downloads of certain files types, such as JavaScript files and Zip files.
Endpoints should be configured to display known file types, as this is not enabled by default in Windows. This will ensure that the file extension – .js – is displayed. End users should be instructed not to open these files and Windows Attack Surface Reduction rules should be set to block JavaScript and visual Basic scripts from attempting to download and run files.
