The Gootloader malware has re-emerged with a refined campaign, leveraging Google Ads to target users searching for legal document templates such as non-disclosure agreements (NDAs) or lease agreements.
This new tactic combines modern advertising techniques with traditional social engineering, marking a shift from its previous reliance on compromised WordPress blogs for SEO poisoning.
The attackers now use their own infrastructure, including fake websites like lawliner[.]com, hosted under the advertiser name “MED MEDIA GROUP LIMITED,” which is suspected to be compromised.
When users click on these ads, they are directed to professional-looking pages offering legal templates.
To access the documents, users are prompted to provide their email address.
Subsequently, they receive an email from lawyer@skhm[.]org containing a link to download the requested file.
Infection Chain: From Legal Templates to Malware
While the email appears to deliver a benign Word document, the actual payload is a ZIP archive containing a JavaScript (.JS) file disguised as the requested legal template.
Upon execution, this JavaScript file initiates the infection process:
- Scheduled Task Creation: The malware creates a scheduled task that ensures persistence by running at startup.
- Secondary Payload Deployment: Another JavaScript file is dropped into the user’s
%AppData%\Roamingdirectory. - PowerShell Execution: The malware launches PowerShell scripts to communicate with a series of WordPress blogs some compromised and others likely decoys to mislead investigators and sandbox environments.
According to the Report, this infection chain mirrors previous Gootloader campaigns but incorporates new delivery methods via Google Ads.
The threat actors continue to exploit legal-themed lures and meticulous planning to deceive users.
Technical Characteristics and Evasion Techniques
Gootloader employs sophisticated evasion tactics, including payload obfuscation and process injection.
The initial JavaScript payload is heavily encrypted and large in size, often exceeding 3.5MB, making detection challenging.
It executes via Windows Script Host (wscript) and cscript processes before transitioning to PowerShell for reconnaissance and communication with its command-and-control (C2) servers.
The malware’s ability to evade detection is further enhanced through techniques like source code encoding, control flow obfuscation, and embedding malicious code within legitimate JavaScript libraries such as jQuery and Lodash.
These measures make it harder for security tools to identify malicious activity.Security researchers recommend blocking or flagging domains such as lawliner[.]com and skhm[.]org in both web traffic and email communications.
Organizations should also review historical logs for interactions with these domains.
Advanced threat detection tools, such as interactive malware sandboxes, can help analyze suspicious files and uncover Gootloader’s behavior before it causes harm.
By staying vigilant against evolving tactics like malicious advertising campaigns and obfuscated payloads, organizations can reduce their exposure to threats like Gootloader malware.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
