According to Sophos, the so-called search engine "deoptimization" method includes both SEO tricks and the abuse of human psychology to push websites that have been compromised up Google's rankings.
SEO optimization is used by webmasters to legitimately increase their website's exposure on search engines such as Google or Bing. However, Sophos says that threat actors are now tampering with the content management systems (CMS) of websites to serve financial malware, exploit tools, and ransomware.
In a blog post on Monday, the cybersecurity team said the technique, dubbed "Gootloader," involves deployment of the infection framework for the Gootkit Remote Access Trojan (RAT) which also delivers a variety of other malware payloads.
The use of SEO as a technique to deploy Gootkit RAT is not a small operation. The researchers estimate that a network of servers -- 400, if not more -- must be maintained at any given time for success.
While it isn't known if a particular exploit is used to compromise these domains in the first place, the researchers say that CMSs running the backend of websites could have been hijacked via malware, stolen credentials, or brute-force attacks.
Once the threat actors have obtained access, a few lines of code are inserted into the body of website content. Checks are performed to ascertain whether the victim is of interest as a target -- such as based on their IP and location -- and queries originating from Google search are most commonly accepted.
Websites compromised by Gootloader are manipulated to answer specific search queries. Fake message boards are a constant theme in hacked websites observed by Sophos, in which "subtle" modifications are made to "rewrite how the contents of the website are presented to certain visitors."
"If the right conditions are met (and there have been no previous visits to the website from the visitor's IP address), the malicious code running server-side redraws the page to give the visitor the appearance that they have stumbled into a message board or blog comments area in which people are discussing precisely the same topic," Sophos says.
If the attackers' criteria aren't met, the browser will display a seemingly-normal web page -- that eventually dissolves into garbage text.
A fake forum post will then be displayed containing an apparent answer to the query, as well as a direct download link. In one example discussed by the team, the website of a legitimate neonatal clinic was compromised to show fake answers to questions relating to real estate.
Victims who click on the direct download links will receive a .zip archive file, named in relation to the search term, that contains a .js file.
The .js file executes, runs in memory, and obfuscated code is then decrypted to call other payloads.
According to Sophos, the technique is being used to spread the Gootkit banking Trojan, Kronos, Cobalt Strike, and REvil ransomware, among other malware variants, in South Korea, Germany, France, and the United States.
"At several points, it's possible for end-users to avoid the infection, if they recognize the signs," the researchers say. "The problem is that, even trained people can easily be fooled by the chain of social engineering tricks Gootloader's creators use. Script blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools."