Gootloader is a Trojan downloader that's part of the Gootkit family. Gootloader may install other threats onto the computer or collect information. Users should protect their PCs through dedicated anti-malware services for removing Gootloader and avoid downloading unusual Google search-acquired ZIP archives, which are the Trojan's current infection vector.
Google Searching Your Way into Trouble
By now, Google is such a dominant Web search service that even its name is synonymous with the act of searching the Web for site results and answers to questions. A threat actor with access to the Gootkit Trojan family is turning that fame into a Black Market advantage by weaponizing Google's search result-acquiring algorithm. For some unlucky users, the result is that the answer to their question is Gootloader, a Trojan downloader.
The campaign Gootloader distributes the threat by hacking legitimate businesses' websites through unknown methods, such as exploit outdated software vulnerabilities or brute-forcing logins. The attackers then add fake forum posts with ZIP downloads to these sites. The ZIPs supposedly answer highly-specialized questions without any relationship to the site's native content – for instance, a home insurance question's answer on a medical website. Malware experts caution that users defaulting to Google searches are at high risk of exposing themselves to these ZIP downloads, which customize their names to the victim's language settings.
Stopping a Search with the Worst Possible Answers
Users should be suspicious of search results that lead directly to downloads immediately or to content unrelated to the domain. Although many attacks are avoidable by staying on reputable websites, in Gootloader's campaign, the hijacking of high-reputation websites is overt sufficiently that Google users will require extra precautions. The use of a ZIP archive also is a tip-off since many threats use archive compression as one of several means of evading threat-detecting technology.
Many Windows anti-malware products that scan the related 'answer' files should detect and delete Gootloader or disinfect computers as necessary. Users also should be aware that the Trojan can delay its execution until after a reboot partly, which may confuse attempts at tracking the attack's time and origin.
Gootloader is a strong push forward for Gootkit Trojans, with social engineering and a well-thought-out plan as the foundation of its technically-sophisticated code. In 2021, even the famed Google can become a Trojan purveyor, however temporarily.