A framework known for offering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads.
“Gootkit’s malware family has been around for more than half a decade: a mature Trojan with functionality focused on stealing bank credentials,” Sophos researchers Gabor Szappanos and Andrew Brandt said in a published paper today.
“In recent years, almost as much effort has been made in improving its delivery method as in NodeJS-based malware itself.”
Nicknamed “Gootloader”, the expanded malware distribution system occurs amid an increase in the number of infections targeting users in France, Germany, South Korea and the United States.
First documented in 2014, Gootkit is a Javascript-based malware platform capable of performing a number of covert activities, including web injection, keystrokes, screenshots, video recording, and mail theft. electronic and password.
Over the years, the cybercrime tool has evolved to obtain new information theft features, with the Gootkit loader reused in combination with the REvil / Sodinokibi ransomware infections reported last year.
While the campaigns that use social engineering tricks to provide malicious payloads are a hundred dozen, Gootloader takes it to the next level.
The chain of infection uses sophisticated techniques that involve hosting ZIP files of malicious files on websites belonging to legitimate companies that have been considered to appear among the best results of a search query using search engine optimization methods. search engine optimization (SEO).
In addition, search engine results point to websites that have no “logical” connection to the search query, implying that attackers must have a vast network of hacked websites. In one case seen by investigators, a board for a real estate deal emerged as the first result of an incomplete neonatal medical practice based in Canada.
“To ensure that the targets of the appropriate geographies are captured, opponents rewrite the website code‘ on the fly ’so that website visitors who are outside the desired countries are shown benign web content, while that those in the right location show a page with a fake discussion forum on the topic they have asked, ”the researchers said.
By clicking on the search result, the user is directed to a page similar to a fake message board that not only matches the search terms used in the initial query, but also includes a link to the ZIP file , which contains a very obfuscated Javascript file that initiates the next compromise stage to inject into memory the fileless malware recovered from a remote server.
This takes the form of a multi-stage evasive approach that begins with a .NET loader, which comprises a Delphi-based malicious program for loaders, which in turn contains the final payload in encrypted form.
In addition to offering the REvil ransomware and the Gootkit Trojan, several campaigns have been detected that currently take advantage of the Gootloader framework to deliver Kronos financial malware to Germany stealthily and the Cobalt Strike post-exploitation tool in the US.
It’s still unclear how operators access websites to serve malicious injections, but investigators suspect the attackers may have obtained passwords by installing Gootkit malware or buying stolen credentials from underground markets or taking advantage of security flaws. current. to the plugins used alongside the content management system (CMS) software.
“The developers behind Gootkit seem to have shifted the resources and energy to deliver only their own financial malware to creating a complex and stealthy delivery platform for all sorts of payloads, including ransomware REvil,” said Gabor Szappanos , director of Sophos threat research.
“This shows that criminals tend to reuse their proven solutions instead of developing new delivery mechanisms. In addition, instead of actively attacking endpoint tools as some malware distributors do, the creators of Gootloader have opted by complicated evasive techniques that hide the end result, ”he said. added.