Gootloader Inside Out
Thumbnail
The Gootloader malware employs sophisticated social engineering tactics to infect users through compromised WordPress sites. It manipulates search engine results to direct victims to these sites, where they encounter fake message boards that link to the malware. The infection process is complex and heavily obfuscated, making it difficult for even site owners to detect. Sophos X-Ops has reconstructed the operational methods of Gootloader using various clues from the threat landscape. Affected: WordPress

Keypoints :

  • Gootloader uses social engineering to lure victims via hijacked Google search results.
  • Compromised WordPress sites display fake message boards that link to the malware.
  • The infection process involves complex code running on both the compromised server and a central “mothership” server.
  • Obfuscation techniques make it hard for site owners to identify malware modifications.
  • Security researchers reconstructed Gootloader’s methods using open-source intelligence.
  • The malware has been active for nearly eight years, adapting its tactics over time.
  • Gootloader employs poisoned SEO to rank malicious pages high in search results.
  • Malicious code is often hidden within benign WordPress plugins like Hello Dolly.

MITRE Techniques :

  • Initial Access (T1071): Gootloader uses social engineering via search engine manipulation to gain initial access.
  • Execution (T1203): The malware executes through malicious JavaScript files that are downloaded by victims.
  • Persistence (T1136): Malicious code is embedded in compromised WordPress installations, often within benign plugins.
  • Command and Control (T1071): The mothership server orchestrates the infection process and manages communication with compromised sites.
  • Exfiltration (T1041): The malware collects data from victims’ machines and sends it back to the command server.

Indicator of Compromise :

  • [domain] my-game[.]biz
  • [ip address] 5.8.18[.]7
  • [ip address] 91.215.85[.]52
  • [file name] HelloDolly.php
  • [file hash] 03a46ad7873ddb6663377282640d45e38697e0fdc1512692bcaee3cbba1aa016
  • Check the article for all found IoCs.

Full Research: https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/