Gootkit Loader resurfaces with updated tactic to compromise targeted computers

Operators of the Gootkit access-as-a-service (AaaS) malware have resurfaced with updated techniques to compromise unsuspecting victims.

“In the past, Gootkit used freeware installers to hide malicious files; now, it uses legal documents to trick users into downloading these files,” Trend Micro researchers Buddy Tancio and Jed Valderama said in an article last week.

cyber security

The findings build on an earlier report by eSentire, which in January revealed widespread attacks targeting employees of accounting and legal firms to deploy malware to infected systems.

Gootkit is part of the proliferating underground ecosystem of access brokers, which are known to provide other malicious actors a route to corporate networks for a price, paving the way for truly damaging attacks such as ransomware. .

Gootkit Charger

The loader uses malicious search engine results, a technique called SEO poisoning, to trick unsuspecting users into visiting compromised websites hosting ZIP package files containing malware allegedly linked to disclosure agreements for real estate transactions .

cyber security

“The combination of SEO poisoning and compromised legitimate websites can mask indicators of malicious activity that would typically keep users on their toes,” the researchers pointed out.

The ZIP file, on the other hand, includes a JavaScript file that loads a Cobalt Strike binary, a tool used for post-exploitation activities, which runs directly in memory without a file.

“Gootkit is still active and improving his techniques,” the researchers said. “It implies that this operation has proven effective, as other threat actors appear to continue to use it.”