Although businesses and consumers are becoming increasingly wary of ‘phishing’ emails containing a seemingly harmless link that has been secretly weaponized, few exercise similar caution when using popular search engines.
Conducting an innocent online search for any business-related document, such as a legal contract, has become as potentially risky as opening a link in an unsolicited email. Ransomware gangs, usually outside US, UK, and EU jurisdiction, are now luring business users of popular search engines to compromised websites designed to look like professional forums, creating a back door into the searcher’s entire organization.
Reports of the practice have surfaced on the cyber-threat intelligence platform IBM X-Force Exchange, that Gootloader, which X-Force also tracks as Hive0127 (aka UNC2565), typically targets online searches for contracts, legal forms, or other business-related documents. A standard search by a professional user working for a large organization could be: “Is a closing statement the same as a grand contract?”. The user is then served a compromised website modified to appear as a legitimate forum at the top of the poisoned search engine results page. Within the forum conversation, targeted users are tricked into downloading an archive file related to their initial search terms, which actually contains the Gootloader payload.
Sadistic techniques increasingly used
This payload comes in the form of the “GootBot” implant — designed to facilitate stealthy lateral movement across any corporate network. Once installed and unobserved, the GootBot can then act as a kind of Trojan horse to deliver ransomware, encrypting all the target organization’s most valuable and most sensitive data, only releasing the decryption keys when the ransom has been paid in crypto-currency. A recent and rather sadistic technique increasingly used in ransomware attacks is immediately releasing the target company’s most sensitive data piecemeal onto the internet until the ransom is paid in full.
All organizations should lose no time in educating staff used to working on the assumption that a search engine’s first results are likely to be accurate, safe, and legitimate, not to automatically trust their search results. From now on, it should be second nature to double-check every website’s URL to verify its legitimacy.
