Gootloader Malware Spreads via Google Ads with Weaponized Documents

The notorious Gootloader malware has resurfaced with a new campaign that combines old tactics with modern delivery methods.

This latest iteration leverages Google Ads to target users searching for legal document templates, such as non-disclosure agreements (NDAs) or lease agreements.

The campaign exemplifies the evolving strategies of threat actors who exploit trust in legitimate platforms to deliver malicious payloads.

Historically, Gootloader has relied on Search Engine Optimization (SEO) poisoning to lure victims to compromised WordPress sites hosting malicious files.

However, the recent campaign marks a shift as attackers now use their own infrastructure, including fake websites like “lawliner[.]com,” to distribute malware.

These sites are promoted through Google Ads, attributed to an advertiser named “MED MEDIA GROUP LIMITED,” which is suspected of being compromised.

Infection Chain: From Legal Templates to Malware

The infection process begins when a user searches for legal templates online, such as “non-disclosure agreement template.”

Among the top search results, they encounter a sponsored ad for “lawliner[.]com.”

Upon clicking the ad, users are directed to a professional-looking webpage offering the desired document.

According to the Report, to access it, they are prompted to provide their email address.

Shortly after providing their email, victims receive an email from “lawyer@skhm[.]org” containing a link to download the requested file.

While the link appears legitimate, it delivers a ZIP file containing a malicious JavaScript (.JS) file disguised as the requested document.

For example, a file named “non_disclosure_agreement_nda.zip” contains “non_disclosure_agreement_nda.js.”

Once executed, the JavaScript file initiates the typical Gootloader infection chain.

It creates a scheduled task for persistence and drops another JavaScript file in the user’s %AppData%\Roaming directory.

This file then executes PowerShell commands to contact multiple WordPress blogs some compromised and others decoys to download additional payloads or establish communication with command-and-control (C2) servers.

Technical Sophistication and Evasion Techniques

Gootloader is known for its advanced evasion techniques.

The malware employs heavy obfuscation, source code encoding, and payload size inflation to resist detection and analysis.

It also embeds malicious code within legitimate JavaScript libraries like jQuery and Lodash, further complicating its identification.

The infection chain includes multiple stages:

1. Execution of the initial JavaScript payload via Windows Script Host (WScript.exe).
2. Creation of scheduled tasks for persistence.
3. Deployment of secondary payloads using PowerShell.
4. Communication with C2 servers for reconnaissance and downloading additional malware.

The malware’s modular design allows it to deliver various payloads, including ransomware (e.g., REvil), banking trojans (e.g., Kronos), and post-exploitation tools like Cobalt Strike.

To counter this threat, cybersecurity experts recommend blocking traffic to domains associated with this campaign, such as “lawliner[.]com” and “skhm[.]org,” at both web and email gateways.

Organizations should also monitor historical logs for any interactions with these domains and educate users about the risks of downloading files from unverified sources.

Given Gootloader’s focus on legal-themed lures and its ability to exploit trusted platforms like Google Ads, vigilance remains critical.

Organizations should implement robust endpoint protection solutions capable of detecting obfuscated scripts and monitor network traffic for suspicious activity linked to known indicators of compromise (IOCs).

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!