Certain groups of cybercriminals Ransomware gangs, botnet operators, and financial fraudsters get special attention for their attacks and operations. But the larger ecosystem that underpins digital crime includes a host of malicious actors and organizations that primarily sell support services to these criminal clients. Today, researchers from security firm eSentire reveal their methods for disrupting the operations of a long-running criminal enterprise that puts other businesses and organizations at risk, then selling that digital access to other attackers.
Known as Initial Access as a Service, the Gootloader malware and the criminals behind it have been compromising and scamming for years. The Gootloader gang infects victim organizations and then sells access to deliver the customer’s preferred malware to the compromised target network, whether it be ransomware, data mining mechanisms, or other tools to penetrate the target deeper. By tracking Gootloader page data, for example, the eSentire researchers gathered evidence that the notorious Russia-based ransomware gang regularly worked with Gootloader between 2019 and 2022 to gain initial access to victims — a relationship other researchers also noted.
Jo Stewart, principal security researcher at eSentire, and chief threat researcher Keegan Kiplinger designed a web crawler to track live Gootloader web pages and previously infected sites. Currently, the two see about 178,000 web pages directly from Gootloader and more than 100,000 pages that appear to have been infected with Gootloader in the past. In a retrospective advisory last year, the US Cybersecurity and Infrastructure Security Agency warned that Gootloader was one of the top malware strains of 2021 along with 10 others.
By tracking Gootloader activity and operations over time, Stewart and Keplinger characterize how Gootloader covers its tracks and attempts to avoid detection that defenders can exploit to protect networks from infection.
“Dig deeper into how the Gootloader system and malware work, you can find all these small opportunities to affect their operations,” Stewart says. “When you catch my eye, you become obsessed with things, and that’s what you don’t want as a malware author is for researchers to be completely immersed in your processes.”
Out of sight, out of thought
Gootloader was developed from a banking Trojan horse known as Gootkit that was mainly infecting targets in Europe since early 2010. Gootkit was usually distributed through phishing emails or infected websites and was designed to steal financial information such as credit card details and logins to the bank account. As a result of the activity that began in 2020, researchers have been tracking Gootloader separately because the malware delivery mechanism is increasingly being used to distribute a range of criminal software, including spyware and ransomware.
The Gootloader engine is known for distributing links to hacked documents, especially templates and other generic forms. When targets click on links to download these documents, they inadvertently infect themselves with Gootloader malware. To get targets to initiate downloads, attackers use a tactic known as SEO poisoning to compromise legitimate blogs, especially WordPress blogs, and then quietly add content that includes malicious document links to them.
Gootloader is designed to scan connections to infected blog posts for a number of characteristics. For example, if someone logs into a hacked WordPress blog, whether they have admin privileges or not, they will be blocked from seeing blog posts that contain malicious links. Gootloader even goes so far as to permanently block IP addresses that are numerically close to the one the relevant WordPress account is logged into. The idea is to prevent other people in the same organization from seeing malicious posts.