Asking Google about Bengal cats in Australia leads to an SEO-poisoned link.
Another Google search query has been SEO-poisoned, meaning searching a specific phrase and clicking on a top link could lead to Windows malware, according to a recent report from cybersecurity firm Sophos.
A fake forum site may appear near the top of Google Search results if you search for something like "Are Bengal cats legal in Australia?" Clicking on this forum link will trigger a .zip file download containing malware. A malicious file link will also appear on the web page itself on a fake admin's post.
This malware is a new variant of "GootLoader" malware, which can then be used to deploy ransomware or banking trojans on a victim's machine. The malware uses a combination of "Scheduled Tasks," JavaScript files, and PowerShell to infect and remain on a PC.
The malware files contain a fair amount of obfuscated code, as well as fake licensing info, to make the files appear legitimate to less tech-savvy users. It even claims to be software from Microsoft in one of the JavaScript files, which is untrue.
Different versions of GootLoader malware have been around online for years, typically infecting computers via SEO-poisoning. The GootKit more broadly has existed for at least a decade.
Earlier GootLoader malware versions similarly exploit JavaScript to executive their attacks and can prep a computer for the Cobalt Strike malware payload or REvil ransomware. Sometimes, malicious JS files pose as contracts, important documents, or other software or files.
Unfortunately, just because a site appears near or at the top of Google Search results doesn't mean it's always safe to click. SEO poisoning and malicious Google ads are both used to trick unsuspecting victims into clicking on or installing something that isn't what it seems. This summer, "DeerStealer" malware was hidden in "verified" Google ads for fake authenticator apps, multiple cybersecurity firms found.