Gootkit malware is prominently targeting healthcare and financial organizations in the US, UK, and Australia, according to new findings from Cybereason.
The cybersecurity firm said it investigated a Gootkit incident that occurred in December 2022. In this incident, a new deployment method was employed in which the attacker exploited the scaffolding to deliver his Cobalt Strike and SystemBC post-exploitation.
In an analysis published on February 8, 2023, Cybereason said, “The attacker exhibited fast-moving behavior, quickly gained control of the infected network, and elevated privileges within four hours.” I’m here.
Gootkit, also known as Gootloader, is attributed solely to the attackers Mandiant tracks as UNC2565. Born in 2014 as a banking Trojan, the malware has since morphed into a loader capable of delivering its next stage payload.
The change in tactics was first spotted by Sophos in March 2021. Gootloader takes the form of a highly obfuscated JavaScript file served through a compromised WordPress site that ranks highly in search engine results through poisoning techniques.
The attack chain relies on luring victims searching for agreements and contracts on DuckDuckGo or Google to a booby-trapped web page that ultimately leads to the deployment of the Gootloader.
The latest wave is also notable for hiding malicious code inside legitimate JavaScript libraries such as jQuery, Chroma.js, Sizzle.js, and Underscore.js. This establishes persistence and malware.
In an incident investigated by Cybereason, the Gootloader infection allegedly paved the way for Cobalt Strike and SystemBC to carry out lateral movement and potential data exfiltration. The attack ultimately failed.
This disclosure comes as malware operators continue to exploit Google Ads as an intrusion vector to distribute a variety of malware, including FormBook, IcedID, RedLine, Rhadamanthys, and Vidar.
The evolution of Gootloader into a sophisticated loader has seen attackers constantly looking for new targets and methods, moving to a malware-as-a-service (MaaS) model and selling that access to other criminals. It further reflects that you are maximizing your profit.
