SEO poisoning is described as a rising method threat actors use to seed malicious sites in top search results after blocking malicious macros in Office. The article analyzes the Gootkit loader’s multi-stage delivery, decoding, and C2 behavior, highlighting how it spreads via hijacked benign sites and uses decoy domains to evade defenses. #Gootkit #Gootloader #CobaltStrike #SEOPoisoning #NFT_GOD #Trellix
Keypoints
- Malicious macros remain common, but defenders’ macro blocking is pushing actors toward SEO poisoning as an infection vector.
- SEO poisoning drives users to malicious sites, sometimes via ads or high-ranked pages, enabling malware distribution.
- The Gootkit loader uses a multi-stage chain (obfuscated code, PowerShell stage, and Windows Script/CScript usage) to reach payloads.
- The loader decodes strings and loads secondary payloads, with C2 communication that cycles through multiple URLs and includes decoy domains.
- Threat actors track keywords to target victims (e.g., contract-related terms), with Indonesian/Australian healthcare examples cited as targets.
- Persistence is achieved via semi-random scheduled tasks, sometimes named with unusual phrases, to complicate detection.
MITRE Techniques
- [T1189] Drive-by Compromise – SEO poisoning leads users to malicious sites; ‘SEO poisoning is a technique where threat actors get into top results, be it via advertisements and/or via high(er) ranked websites.’
- [T1059.001] PowerShell – The next stage is PowerShell based, with other languages possible, marking the loader’s versatility. ‘The next stage is another script, in this case PowerShell based, but given the usage of cscript, other languages can be possible, marking the loader’s versatility.’
- [T1059.005] Windows Script – The third stage invokes WScript to execute the next stage. ‘The third stage invokes WScript to execute the next stage.’
- [T1027] Obfuscated/Compressed Files and Information – Obfuscation makes the code harder to read; strings are recovered from encoded data. ‘The obfuscation makes the code harder to read… a string array is recovered and decoded.’
- [T1053.005] Scheduled Task – Persistence via semi-random scheduled tasks named with contextual phrases. ‘scheduled tasks, via which persistence is achieved, seem to be generated semi-random… Nuclear Pharmacy… Organic Geochemistry.’
- [T1082] System Information Discovery – The loader collects OS info, running processes, window titles, free disk storage, and user default folders. ‘The malware collects information about the operating system, running processes, grabs open window titles, the amount of free disk storage, and information about the user’s default folders and the content thereof (i.e. the user’s Desktop folder).’
- [T1057] Process Discovery – Part of the collected information includes running processes. (as above)
Indicators of Compromise
- [Hash] MD5 – 86c20347bc7ce3da141ffc42d59b7763
- [Hash] SHA-1 – e40271e893cdcb3e0454253782fb737f604f56c3
- [Hash] SHA-256 – 31002fda99def3259e8d1fc0c6647c0281442b80793eb7fedd9b199b6946e8f0
- [FileName] 86554.js, 29322.js – file names observed in keyword-driven loader tables and analysis
- [Domain] C2/decoy domains – referenced as multiple C2 URLs and decoy domains used to stagger payload delivery (no explicit domain strings provided)