Security News > 2022 > August > Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers

The operators of the Gootkit access-as-a-service malware have resurfaced with updated techniques to compromise unsuspecting victims.

"In the past, Gootkit used freeware installers to mask malicious files; now it uses legal documents to trick users into downloading these files," Trend Micro researchers Buddy Tancio and Jed Valderama said in a write-up last week.

Gootkit is part of the proliferating underground ecosystem of access brokers, who are known to provide other malicious actors a pathway into corporate networks for a price, paving the way for actual damaging attacks such as ransomware.

The loader utilizes malicious search engine results, a technique called SEO poisoning, to lure unsuspecting users into visiting compromised websites hosting malware-laced ZIP package files purportedly related to disclosure agreements for real estate transactions.

"The combination of SEO poisoning and compromised legitimate websites can mask indicators of malicious activity that would usually keep users on their guard," the researchers pointed out.

The ZIP file, for its part, includes a JavaScript file that loads a Cobalt Strike binary, a tool used for post-exploitation activities that run directly in the memory filelessly.

News URL

https://thehackernews.com/2022/07/gootkit-loader-resurfaces-with-updated.html