Recently, rapid growth in the the use of a JavaScript-based infection framework known as Gootloader has been detected sharing malware payloads. Gootloader been implemented for broadcasting the Gootkit banking Trojan, REvil ransomware, Cobalt Strike, and the Kronos Trojan using compromised WordPress web pages

Those responsible for the Gootloader target susceptible WordPress websites and place hundreds of pages of fake content, often totally unconnected to the theme of the website. A wide variety of websites have been impacted across many industry sectors, including retail, education, healthcare, travel, music, and many more, with the common denominator that they all leverage the WordPress CMS.

It is not yet known how the WordPress sites have been affected. It is possible that the sites have not been updated to the most recent WordPress version or had vulnerable plugins that were targeted. Legitimate admin accounts could be impact using brute force tactics, or other methods employed.

The content placed on the compromised sites takes the format of forum posts and fake message forums, providing specific questions and answers. The questions are mostly linked to certain types of legal agreements and other documents. A review of the campaign by eSentire researchers found that the majority of the posts on the compromised websites included the word “agreement”. The posts feature a question, such as “Do I need a party wall agreement to sell my house?” with a post added below using the exact same search term that users can click to install a template agreement.

These pages have very specific questions for which there are minimal search engine listings, so when search engines crawl the websites, the content ranks highly in the SERPs for that specific search term. There may be relatively few people searching for these particular search terms on, but most of those that do are looking for a sample agreements to install the software.

The malicious file that the link bring the user to install is a JavaScript file, hidden inside file. If that file is clicked in, the rest of the infection process becomes active in the memory, beyond the reach of traditional antimalware solutions. An autorun entry is established that loads a PowerShell script for persistence, which will ultimately be used to share whatever payload the threat actor wishes to put in place.

The content placed on the websites contains malicious code that displays the malicious forum posts only to visitors from certain places, with an underlying blog post that at first appears authentic, but mostly included gibberish. The blog post will be displayed to all people who are not specifically being focused on.

The campaign is implementing black hat SEO techniques to get the content listed in the SERPs, which will eventually be deleted by the likes of Google; however, that process may take some time.

Preventing these attacks requires a range of security solutions and training. Installing any document or file from the Internet comes with a danger of a malware infection. Risk can be minimized by using a web filtering solution. Web filters will prevent access to websites that have been labelled as malicious and will perform content review on new content. You can also create a web filter to block installations of certain files types, such as JavaScript files and Zip files.

Endpoints should be created to show known file types, as this is not permitted by default in Windows. This will make sure that the file extension – .js – is shown. End users should be advised not to install these files and Windows Attack Surface Reduction rules should be set to prevent JavaScript and visual Basic scripts from trying to install and run files.