Security News > 2021 > March > Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites

Gootkit RAT Using SEO to Distribute Malware Through Compromised Sites
2021-03-02 00:52

"The Gootkit malware family has been around more than half a decade - a mature Trojan with functionality centered around banking credential theft," Sophos researchers Gabor Szappanos and Andrew Brandt said in a write-up published today.

Dubbed "Gootloader," the expanded malware delivery system comes amid a surge in the number of infections targeting users in France, Germany, South Korea, and the U.S. First documented in 2014, Gootkit is a Javascript-based malware platform capable of carrying out an array of covert activities, including web injection, capturing keystrokes, taking screenshots, recording videos, as well as email and password theft.

Clicking the search result takes the user to a fake message board-like page that matches not only the search terms used in the initial query but also includes a link to the ZIP file, which contains a heavily obfuscated Javascript file that initiates the next stage of compromise to inject the fileless malware fetched from a remote server into memory.

In addition to delivering the REvil ransomware and the Gootkit trojan, multiple campaigns have been spotted currently leveraging the Gootloader framework to deliver the Kronos financial malware in Germany stealthily, and the Cobalt Strike post-exploitation tool in the U.S. It's still unclear as to how the operators gain access to the websites to serve the malicious injects, but the researchers suspect the attackers may have obtained the passwords by installing the Gootkit malware or purchasing stolen credentials from underground markets, or by leveraging security flaws in present in the plugins used alongside content management system software.

The findings have been echoed by Microsoft in a series of tweets, noting it's "Seeing numerous extensive hands-on-keyboard attacks emanating from the Gootkit malware, which is distributed via drive-by downloads as a JavaScript within a ZIP file."

"The developers behind Gootkit appear to have shifted resources and energy from delivering just their own financial malware to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware," said Gabor Szappanos, threat research director at Sophos.


News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/0i8FA0w-_6w/gootkit-rat-using-seo-to-distribute.html