It’s become almost axiomatic that malware attacks of all varieties begin with a phishing email. Most enterprises teach their employees how to deal with such attacks, how to identify a phishing email, how to avoid dangerous links, and how to identify malicious attachments. Yes, this information does help, but what if your employee becomes an entrance point for an attack on the corporate network without ever getting a phishing email at all and by only visiting valid sites? How do you stop these attacks?
That question is not easy to answer but to stop any complex, multi-layered attack, cybersecurity countermeasures must be in place to disrupt the attack at its weakest point. Interestingly, criminals try to complicate their attacks by taking the victims through a step-by-step attack that makes them lose their suspicions and eventually ensnares them. However, this same layered strategy opens the attack up to countermeasures. Probably the best way to see how this attack-defense battle takes place is to actually look at a complex attack that is currently underway.
The attack I will use as an example uses what Sophos calls, Gootloader, to deliver the payload. The attack structure of this malware delivery system is designed to implant banking Trojans, ransomware, and RATs (remote access Trojans). And it all begins with the use of one of the most trusted sites on the internet; Google search.
Here is a search I did for the legal term, ‘fiduciary holdback’.
This otherwise harmless site has been weaponized to be used in a ransomware attack. I informed the site owners about this problem, but never received a reply. However, the next day the compromise seemed to have been resolved, as similar search results elicited this result.
This site is not alone. Here are a few other sites I found that have been compromised through Google search and the use of a variety of somewhat obscure legal terms.
As you can probably tell, sites around the globe are being targeted.
So, the attack begins by getting Google search to list the infected site near the top of the search results. How do the attackers do this? According to Sophos, the attackers maintain a network of over 400 servers. This plus the use of more obscure legal terminology enables the compromised site to be listed at the top of the search results without appearing as an ad. This would also insure that the person tricked by the result was probably working for a legitimate company, likely in the legal department of a corporation, or, possibly, working for a law firm or real estate business. Using such terminology kind of filters out much of the regular browsing public.
The potential victim using the search result is then led to a seemingly valid site. Sure, it may seem strange to find real estate legal terminology listed on a site that apparently offers tickets to plays, but the attackers hope you’ll overlook this inconsistency; after all, it was listed in Google search and the link is tagged as safe.
If you were to navigate to this site, you would find yourself on some sort of forum page where, surprisingly, someone named, Emma Hill, is ‘coincidentally’ asking the same question you typed into the search engine. Here’s how that page looks.
This question is answered by someone who claims to be the administrator by directing you, the victim, to another site. The link looks valid on the surface. Hovering over it, however, you’ll see this.
This is a connection to a wine store in France. If the victim doesn’t feel suspicious and clicks on the link, they will be directed to a blank page (at least in the links I’ve looked at) within this compromised site. The page will then download a .zip file. The downloaded file will have the same title as the original search term, thus, making it appear valid. If the user/victim decides to open this file, all is lost.
Within the .zip file is a js file (the .js extension may be hidden showing only the .zip) which will enable the attackers to take control of the user’s device. These js files have names which also reflect the Google search terms. Here are a few that Sophos gives that show which search terms have been weaponized.
Once it gets on your device, things get really bad. If you want the details, go to the Sophos article. In short, the file uses a variety of obfuscation techniques and writes itself into the registry to make it undiscoverable and persistent. It will then be in a position to install the following malware: Kronos (banking Trojan), REvil (ransomware), Gootkit (banking Trojan), or Cobalt Strike (remote access Trojan or RAT).
The compromised sites know where you’re coming from and if you navigate to it from a country they are not interested in, you will get an information page about the legal term you searched for. This would happen if I did this from some European servers but would allow me to get to the weaponized forum page if I used a server in the U,S. The conclusion is that this new wave of attacks is focusing on North American sites.
As I noted, there are weak points in this attack framework. First of all, the criminals seem to be relying on Google search. Using other search engines will largely mitigate against this attack, although some other search engines have been used to a much lesser extent.
Seeing a disconnect between the search term and the site that sponsors the results is also a give away. Going to that results page and seeing a forum page is the next clue that something’s not right. Hovering over the link and seeing a site that seems unrelated can also be an indicator of an attack in wait. Finally, receiving a zip file from that page with a name similar to your search term should make you suspicious. Have your device show the complete file extensions on files. The zip file may really be a ‘malware.zip.js’ file with “malware.zip” as the file name and “.js” as the true file extension which can be hidden.
Nonetheless, many will be fooled by this hack. I would suspect that installing ransomware would be the criminal’s main line of attack, especially if they can use the device they’ve compromised to move into a corporate network. Remember to protect your corporate endpoints with high quality endpoint protection that forms a hardware barrier between the device and the network. Finally, be especially vigilant if you live in the U.S., as these criminals are targeting that region.