Security experts are using malware's own code to protect potential victims

Hacking the hackers: Gootloader is a long-running cyber-criminal operation based on an "initial access-as-a-service" model: the gang behind the malware infects organizations. Then it sells access to "customers" looking for an entry point to go deeper into the victim's network. To successfully thwart the operation, researchers fought fire to with fire.

The Gootloader malware originated from the Gootkit banking trojan, which has been active against European targets since 2010. The malicious operation allows third-party criminals to put their malware (especially ransomware) into a compromised network. The gang behind it has been particularly successful over the past several years.

Security researchers at eSentire have tracked recent Gootloader activities and are now explaining how it works and what's needed to fight it. The Gootloader operation uses SEO poisoning techniques, luring potential victims to an "enormous array" of compromised WordPress blogs.

The operation is tailored to exploit victims more inclined to pay a ransom to get their data back. The blogs are populated with bait content, including links to malicious documents, templates, and other generic forms. When the target clicks these links, they unintentionally infect Windows with the main Gootloader malware.

Gootloader's most common victims are professionals working for law firms and corporate legal departments. The analysts explain that bad actors use blog posts about legal agreements and contracts to lure people in those positions into downloading their malicious code. Legal professionals have essentially been the primary target of the Gootloader gang for the past 15 months, with 12 different organizations targeted between January and March 2023.

The eSentire researchers created a specialized web crawler to keep track of Gootloader-related web pages and previously infected sites. They found around 178,000 live Gootloader pages and another 100,000+ previously infected sites. The researchers collected evidence that links Gootloader to the infamous Russian REvil gang, which regularly partnered with the malware's network between 2019 and 2020 to infect, encrypt, and scam compromised organizations.

Gootloader also shields its poisoned blog posts by never displaying the malicious posts to logged-in users, a clever tactic to avoid alarming site administrators. The malware operators permanently block the IP addresses of admins, as well as "several netblocks above and below their IP addresses," so users within these netblocks never see the pages with malicious links.

Gootloader checks the malware source page daily, so the researchers can "selectively keep anybody" safe from the malware by using the malware's blocking system against it. All the researchers have to do is visit the payload page with any IP address they want to be included in the admin ban list.

Even though the researchers aren't declaring victory yet, eSentire "can potentially protect wide swaths of the internet" from Gootloader. Now that they have publicly disclosed this mitigation, the researchers expect the Gootloader gang to change its blocking system. So the cat-and-mouse game between security professionals and cyber-criminals will continue. The team is ready and watching.