Security News > 2023 > January > Gootloader malware updated with PowerShell, sneaky JavaScript

Researchers with Google-owned security shop Mandiant started seeing significant changes to the Gootloader malware package - also known as Gootkit - in November 2022, including using multiple variations of FONELAUNCH, a.NET-based loader, as well as some newly developed payloads and obfuscation techniques.

A Gootloader infection starts via a search engine optimization poisoning attack, with a victim who is searching online for business-related documents, such as templates, agreements, or contracts, being lured into going to a website compromised by the criminal gang.

Three months ago, Mandiant researchers began seeing the Gootloader.

Gootloader in the months since May 2021 has used three variants of FONELAUNCH - FONELAUNCH.FAX, FONELAUNCH.PHONE, and FONELAUNCH.DIALTONE. "The evolution of FONELAUNCH variants over time has allowed UNC2565 to distribute and execute a wider variety of payloads, including DLLs,.NET binaries, and PE files," the Mandiant researchers wrote.

New samples of Gootloader with slight variations in the obfuscation code appeared in August 2022, extending the obfuscated string variables throughout the file - previous variants have them all on the same line - and inside a trojanized jit.

>The third obfuscation variant - seen in Gootloader.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/01/30/gootloader_mandiant_malware/