loading

155247 author: SophosXOps@infosec.exchange 16 Jan 2025 17:03
re: Long thread
tags: #Gootloader #malware #phishing

Nobody knows exactly how the #Gootloader operators are finding and taking control over personal and business websites that use WordPress, but it's likely due to an earlier compromise of the site's administrator credentials, through #malware or #phishing. Stolen credentials for WordPress sites are a dime a dozen on the criminal underground.

The insidious nature of Gootloader means even the site's owners, who still have working admin passwords, cannot readily determine that the site is being misused for evil.

Source of the Gootloader landing pages reveal a number of different search terms and phrases the threat actors wanted search engines to index. The linked subpages (selected with green) don't actually exist. The injected WordPress code defines a few hooks, one of them is for non-existing pages. This will serve the fake forum discussion, when the victim clicks on the search result

155245 author: SophosXOps@infosec.exchange 16 Jan 2025 17:00
tags: #Gootloader #malware #seo
to: https://infosec.exchange/users/threatresearch

Hi everyone, it's @threatresearch driving the X-Ops social media today to let you know about a story we just published, written by my colleague Gabor Szappanos.

Szapi has done significant research in the past into a #malware family called #Gootloader that (for years, now) uses malicious #SEO techniques to promote compromised websites into Google search results.

This research finally cracks wide open the mystery of how they manage to do that so effectively. It's a long read, but well worth the deep dive.

https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/ ‎