b00gle

OakTree / January 2025 (14 Words, 1 Minutes)

b00gle is a proof-of-concept tool designed to create a ‘minefield’ of malicious domains based on misspellings of popular Google services.

The executable b00gle.exe initiates up an Apache httpd server which runs continuously in the background, while generating an extensive list of malicious domains to be substituted for the system’s ‘hosts’ file (note: this process requires administrator privileges). The tool relies on the user typing a domain or URL incorrectly – if this search matches one of the malicious domains generated by the executable variations.exe, the victim is redirected to a malicious Google sign-in page locally hosted on the httpd server. The URL displayed to the victim is configured to mimic the URL that is typically observed when signing into Google services, consisting of a seemingly arbitrary assortment of numbers and letters; these values are currently statically defined, though enhanced iterations of b00gle may incorporate a randomization generation of this string such that explicit signature detection may be avoided.

Username and password data gathered from the sign-in page is stored in the browser’s cookies. PostMail is used as a framework for exfiltrating data, though can be substituted for other methods according to the attacker’s preference.