As RiskIQ tracks malware families to identify infrastructure patterns and common threads between threat campaigns via our Internet Intelligence Graph, we often surface strong links between seemingly disparate ones. In the case of EITest and GootLoader, these campaigns may have turned out to be one and the same.
Researchers around the industry have tracked EITest and its evolution for the better part of a decade. Thus far, no one has connected it to the much newer GootLoader malware delivery campaign. However, infrastructure connections in RiskIQ data belonging to GootLoader directly correlate with past EITest activity and the current malware delivery campaign.
EITest and Gootkit
EITest was first identified in 2014 and historically used large numbers of compromised WordPress sites and social engineering techniques to trick users into downloading malware. Researchers observed this campaign delivering various malware, including Gootkit, complex multi-stage banking malware that Dr.WEB analysts discovered and first described as a backdoor Trojan in 2014.
In 2015, threat researcher Jerome Segura documented a mass compromise of WordPress sites by EITest. In the same year, Faelix detailed brute force attacks via a botnet targeting WordPress sites for compromise. In 2017, Kafeine covered a change in EITest's tactics to using social engineering lures on compromised WordPress sites. The malware was delivered via a pop-up telling the user to download a "font pack" needed to view the website they were attempting to visit.
This new campaign eschewed the use of exploit kits due to improved countermeasures which prevented successful malware installation via exploit kits. Instead, EITest tried to trick the user into performing the installation themselves.
Kafeine also pointed to the connections between EITest and compromised WordPress sites, noting that, in 2014, Sucuri documented mass WordPress compromises via a plugin vulnerability. In 2018, Kafeine again wrote about EITest, this time discussing Proofpoint's efforts to sinkhole the entire EITest operation.
After seizing control of the C2 servers, researchers found that most of the compromised websites were running WordPress. On March 15, 2018, Proofpoint, in collaboration with abuse.ch, successfully sinkholed EITest's C2 network.
Malicious SEO: A Familiar Technique
Later in 2018, with the security community assuming the demise of EITest, Sucuri documented a fresh batch of search engine optimization (SEO) injections on compromised WordPress sites. These injections manipulated Google’s search results for specific key phrases, causing the compromised websites to appear near the top of the results. According to the post, the compromised WordPress sites made requests to a C2 server.
In 2020, Malwarebytes documented Gootkit and REvil ransomware delivery via compromised WordPress sites injected with the same malicious SEO as documented by Sucuri in 2018. Malwarebytes' analysis of the campaign went further than Sucuri. They found that the compromised pages were dynamically redrawn for users that met a particular set of criteria and navigated to the compromised website via a Google search of the SEO terms. Users were served a fake forum page that appeared to answer some specific question or topic the user had searched on Google. The fake forum page provides a link that drops a zip file containing a malicious payload.
This same malware delivery technique via SEO and fake forum pages on compromised WordPress sites was most recently documented by Sophos in a pair of 2021 articles. Sophos named the campaign "Gootloader" for its propensity to deliver Gootkit. They also noted the same C2 as the one seen by Sucuri in 2018 and that "Gootloader" served several different malware families, not just Gootkit.
Based on our review of EITest above, these tactics should sound highly familiar.
You can review RiskIQ's technical analysis of Gootloader in our Threat Intelligence Portal here.
Linking Gootloader and EITest
In 2018, Sucuri documented SEO injections on compromised WordPress sites. These injections manipulated Google search results for specific key phrases, causing the compromised websites to appear near the top of the results. The compromised WordPress sites made requests to a command and control (C2) server, predicated on the user's IP address, referrer, and browser's User-Agent string.
In 2020, Malwarebytes documented the delivery of Gootkit via compromised WordPress sites that had been injected with malicious SEO. As in the campaigns mentioned above, the content on the compromised websites was dynamically redrawn, in this case, to create a fake forum page related to the topic for which the user searched. The fake forum page provides a link that drops a zip file containing a malicious payload.
This same malware delivery technique—via SEO and fake forum posts on compromised WordPress sites—was most recently documented by Sophos. The SEO injections documented in this article are identical to those reported by Sucuri in 2018.
RiskIQ researchers found that the same IP address hosting the C2 identified by Sophos was noted in a 2016 blog post from BroadAnalysis, which documented the delivery of Gootkit via EITest and RIG exploit kit.
In 2015, an article from Faelix detailed brute force attacks via a botnet targeting WordPress sites for compromise. The C2 for this campaign, owned by Petersburg Internet Network ltd, is the same hosting provider as the IP listed above. An internal analysis conducted by RiskIQ researchers in 2017 determined that the scanning behavior carried out by this C2 was related to the compromise of WordPress sites exploited by EITest. The C2 identified by Securi was carrying out scans for the same purpose.
A Proofpoint article by Kafeine from 2017 detailed EITest's use of "Chrome Font" social engineering lures on compromised WordPress sites. This attack was predicated on various criteria, including country, user-agent, referrer, and search result.
These elements are similar to the current strategy employed by Gootloader as described by Malwarebytes and Sophos. Additionally, Kafeine notes EITest C2 nodes at an IP address also owned by Petersburg Internet Network ltd.
In 2018 Kafeine again wrote about EITest, this time discussing Proofpoint's efforts to sinkhole the entire EITest operation. After seizing control of the C2 servers, they found that most of the compromised websites were running WordPress. According to the article, on March 15, 2018, Proofpoint, in collaboration with abuse.ch successfully sinkholed EITest's C2 network.
For the full analysis, including a list of IOCs, visit the Threat Intelligence Portal.
EITest is Dead. Long Live Gootloader.
EITest campaigns heavily targeted WordPress sites for compromise starting in 2014, used social engineering to trick users into downloading malware, and used infrastructure belonging to Petersburg Internet Network ltd. for C2 purposes. We believe that "Gootloader" may be a continuation of the EITest activity that began in 2014 and not associated with Gootkit malware beyond the fact that this payload delivery technique sometimes deploys it.
When EITest operations were sinkholed in 2018, the actors took action within a few days to stand up new command and control infrastructure on an IP address they had used previously to launch a social engineering campaign exploiting compromised WordPress sites to deliver malware payloads - a campaign that continues to this day. This quick action by the threat actors was savvy and unexpected by threat researchers, who struggled to connect the dots and recognize that EITest never discontinued their operations.
To view our full analysis, explore the IOCs from this investigation, and learn how RiskIQ’s Internet Intelligence Graph can help threat hunters link infrastructure across the internet to better understand threats and threat groups, visit our Threat Intelligence Portal.