Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers

News

The operators of the Gootkit access-as-a-service (AaaS) malware have resurfaced with updated techniques to compromise unsuspecting victims.

“In the past, Gootkit used freeware installers to mask malicious files; now it uses legal documents to trick users into downloading these files,” Trend Micro researchers Buddy Tancio and Jed Valderama said in a write-up last week.

CyberSecurity

The findings build on a previous report from eSentire, which disclosed in January of widespread attacks aimed at employees of accounting and law firms to deploy malware on infected systems.

Gootkit is part of the proliferating underground ecosystem of access brokers, who are known to provide other malicious actors a pathway into corporate networks for a price, paving the way for actual damaging attacks such as ransomware.

Gootkit Loader

The loader utilizes malicious search engine results, a technique called SEO poisoning, to lure unsuspecting users into visiting compromised websites hosting malware-laced ZIP package files purportedly related to disclosure agreements for real estate transactions.

CyberSecurity

“The combination of SEO poisoning and compromised legitimate websites can mask indicators of malicious activity that would usually keep users on their guard,” the researchers pointed out.

The ZIP file, for its part, includes a JavaScript file that loads a Cobalt Strike binary, a tool used for post-exploitation activities that run directly in the memory filelessly.

“Gootkit is still active and improving its techniques,” the researchers said. “This implies that this operation has proven effective, as other threat actors seem to continue using it.”

Products You May Like

Articles You May Like

Ngioweb Botnet Fuels NSOCKS Residential Proxy Network Exploiting IoT Devices
10 Most Impactful PAM Use Cases for Enhancing Organizational Security
Microsoft Seizes 240 Websites to Disrupt Global Distribution of Phish Kits
Fake Donald Trump Assassination Story Used in Phishing Scam
Ghost Tap: Hackers Exploiting NFCGate to Steal Funds via Mobile Payments

Leave a Reply

Your email address will not be published. Required fields are marked *