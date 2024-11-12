Cybercriminals have employed an unusual tactic in a new malware campaign to trick victims - by using cats.

The campaign, uncovered by Sophos researchers, exploits search engine optimisation (SEO) poisoning to drive users to compromised websites hosting malicious files through the GootLoader malware, disguised as legitimate information about Bengal cat ownership laws in Australia.

According to Sophos, search queries such as “Are Bengal Cats legal in Australia?” led unsuspecting users to malicious websites. Upon clicking, victims were prompted to download a .zip file containing JavaScript malware.

The report warned: “Users should still look out for search results and search advertisements that seem too good to be true on domains that are off the beaten path - whether they’re looking to get a Bengal Cat or not.”

The first stage of the attack involves the download of a malicious JavaScript file. Once executed, the malware drops a second-stage payload, GootKit, a highly evasive information stealer and remote access trojan (RAT). GootKit establishes persistence by creating scheduled tasks and communicates with command-and-control (C2) servers to exfiltrate system information. The malware can pave the way for additional tools such as Cobalt Strike or ransomware.

Sophos researchers also identified a specific example during a threat-hunting campaign, where a search query about Bengal cats directed users to a compromised site hosting a malicious .zip file. The downloaded file contained heavily obfuscated JavaScript designed to evade detection. “This campaign highlights the continued growth in SEO poisoning as a method of initial compromise,” Sophos said.

GootLoader, once linked to specific cybercriminal operations like the REVil ransomware, has evolved into a malware-as-a-service platform used to deliver various malicious payloads. Its operators use SEO techniques to rank malicious websites high in search results, increasing the likelihood of victim engagement.

While Sophos endpoint protection can block GootLoader, the researchers warned: “The use of SEO poisoning to manipulate search results is not new, but it remains an effective tool for attackers to deliver malware.”