Security News > 2021 > March > Gootkit malware crew using SEO to get pwned websites in front of unwitting marks

Gootkit financial malware has been resurrected to fling ransomware payloads at unwitting marks, according to Sophos.

The infosec firm said today that "Criminal operators have turned the infection method" for the malware "Into a complex delivery platform for a wide range of malware, including ransomware."

Originally its operators set out to compromise legitimate websites and redirect their traffic towards hostile sites containing malware.

Now they're using the eternally grey art of search engine optimisation to get their malicious wares onto victims' devices - and those malicious wares include payloads from the REvil ransomware crew, post-exploit artefacts from the Cobalt Strike tool and the Kronos banking malware.

These fake websites contain either downloads or links to downloads, with the malware doing its thing once the unwitting user clicks the link.

Malware criminals cross-pollinating their wares isn't new but it is growing in popularity as the "Easy" financial gains from ransomware become more apparent, especially after the coronavirus pandemic prompted the entire world to move to online, many of them working remotely as well.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/03/02/gootkit_ransomware_evolution_sophos/