Gootloader

Gootloader is a Trojan downloader that's part of the Gootkit family. Gootloader may install other threats onto the computer or collect information. Users should protect their PCs through dedicated anti-malware services for removing Gootloader and avoid downloading unusual Google search-acquired ZIP archives, which are the Trojan's current infection vector.

Google Searching Your Way into Trouble

By now, Google is such a dominant Web search service that even its name is synonymous with the act of searching the Web for site results and answers to questions. A threat actor with access to the Gootkit Trojan family is turning that fame into a Black Market advantage by weaponizing Google's search result-acquiring algorithm. For some unlucky users, the result is that the answer to their question is Gootloader, a Trojan downloader.

Gootloader is closely related to Gootkit, a banking Trojan family that hijacks bank accounts for collecting their money. However, Gootloader also may install other threats, such as file-locking Trojans, which also rate prominently in its payloads. Gootloader and other Gootkit members are Windows-specific and mostly JavaScript.

The campaign Gootloader distributes the threat by hacking legitimate businesses' websites through unknown methods, such as exploit outdated software vulnerabilities or brute-forcing logins. The attackers then add fake forum posts with ZIP downloads to these sites. The ZIPs supposedly answer highly-specialized questions without any relationship to the site's native content – for instance, a home insurance question's answer on a medical website. Malware experts caution that users defaulting to Google searches are at high risk of exposing themselves to these ZIP downloads, which customize their names to the victim's language settings.

Stopping a Search with the Worst Possible Answers

Users should be suspicious of search results that lead directly to downloads immediately or to content unrelated to the domain. Although many attacks are avoidable by staying on reputable websites, in Gootloader's campaign, the hijacking of high-reputation websites is overt sufficiently that Google users will require extra precautions. The use of a ZIP archive also is a tip-off since many threats use archive compression as one of several means of evading threat-detecting technology.

Standard risks from exposure to Gootloader or other Gootkit variants include losing passwords and other account credentials, theft of bank money, or encrypted and 'locked' files – which attackers will hold for ransom. Users who enable extensions have better chances of identifying the 'JS' JavaScript file's extension, which should be a strong indication of the download's malign nature. Backups also can prevent encryption from causing much long-term damage, but other effects of Gootloader's attacks are questionably-reversible, at best.

Many Windows anti-malware products that scan the related 'answer' files should detect and delete Gootloader or disinfect computers as necessary. Users also should be aware that the Trojan can delay its execution until after a reboot partly, which may confuse attempts at tracking the attack's time and origin.

Gootloader is a strong push forward for Gootkit Trojans, with social engineering and a well-thought-out plan as the foundation of its technically-sophisticated code. In 2021, even the famed Google can become a Trojan purveyor, however temporarily.