GootLoader Leverages SEO Poisoning on WordPress

A sophisticated malware campaign involving the GootLoader payload is actively compromising WordPress websites. Cybersecurity researchers at Sucuri identified the campaign, which uses search engine optimization (SEO) poisoning to lure victims. Attackers hack into legitimate WordPress sites and populate them with fake blog posts designed to appear as discussion forums. These posts are optimized to rank highly in search engine results for specific queries related to business documents and agreements.

When a user searches for these terms and clicks on one of the malicious links, they are directed to a compromised page. This page serves as the initial stage of the attack, designed to trick the visitor into downloading the malware.

The ‘Font Pack’ Ruse Delivers Malicious Payload

Upon landing on the compromised page, the visitor is met with a deceptive user interface. The content appears garbled, and a fake pop-up message is displayed. This message informs the user that the site’s font is not rendering correctly and instructs them to download a “WordPress Font Pack” to fix the display issue. The download link provides a ZIP archive containing a malicious JavaScript (.js) file.

If the user extracts and executes the JavaScript file, the GootLoader malware is installed on their computer. GootLoader is a first-stage malware downloader, which means its primary function is to establish a foothold on the infected system and then download more dangerous secondary payloads, such as ransomware or banking trojans. Sucuri’s analysis revealed the GootLoader code was injected into over 1,480 files on compromised sites, often obfuscated within legitimate-looking PHP files.