Gootloader Poisoned Blogs Uncovered by Deepwatch’s ATI Team
Imagine a threat actor so determined to sound authentic, that they write hundreds of blog posts just to get your attention. Now imagine the author (or more than one) hosting those blogs to a legitimate site that translates them into three different languages, then sends victims to a fake forum page with “helpful” links to catch victims to a well-conceived trap.
Now imagine them boosting their search engine optimization results. In our latest report from Deepwatch’s Adversary Tactics and Intelligence (ATI) group we look at a technique where threat actors are compromising legitimate websites, creating fake blog posts, and using overlays to display a fake forum page over blog posts–all to snare government, legal, real estate, medical, and education victims with highly-targeted content.
In late August, Deepwatch’s Adversary Tactics and Intelligence (ATI) group responded to a customer incident highly likely associated with Gootloader threat actors using the search engine optimization (SEO) poisoning technique.
Our findings suggest the campaign may have foreign intelligence service influence through analysis of the blog post subjects. The threat actors used blog post titles that an individual would search for whose organization may be of interest to a foreign intelligence service e.g. “Confidentiality Agreement for Interpreters.” The Threat Intel Team discovered the threat actors highly likely created 192 blog posts on one site.
The fake blog posts cover topics relevant to government, legal, healthcare, real estate, and education. Several blog posts are related to business and real estate transactions in US states like California, Washington, and Wisconsin; while others cover topics relevant to Australia, Canada, New Zealand, the United Kingdom, the United States, and other countries.
You can read how Deepwatch approaches cyber threat intelligence here.
Why It Matters
Threat actors are becoming more sophisticated, and putting in an unusual amount of effort. Understanding how attacks like these work, allows you to consider gaps in your security posture or prepare employees for clever phishing techniques.