Tag Archive for: Gootloader

Cybercriminals Targeting Law Firms with GootLoader and FakeUpdates Malware

/in


Mar 01, 2023Ravie LakshmananThreat Intelligence / Malware

GootLoader and FakeUpdates Malware

Six different law firms were targeted in January and February 2023 as part of two disparate threat campaigns distributing GootLoader and FakeUpdates (aka SocGholish) malware strains.

GootLoader, active since late 2020, is a first-stage downloader that’s capable of delivering a wide range of secondary payloads such as Cobalt Strike and ransomware.

It notably employs search engine optimization (SEO) poisoning to funnel victims searching for business-related documents toward drive-by download sites that drop the JavaScript malware.

In the campaign detailed by cybersecurity company eSentire, the threat actors are said to have compromised legitimate, but vulnerable, WordPress websites and added new blog posts without the owners’ knowledge.

“When the computer user navigates to one of these malicious web pages and hits the link to download the purported business agreement, they are unknowingly downloading GootLoader,” eSentire researcher Keegan Keplinger said in January 2022.

GootLoader and FakeUpdates Malware

The disclosure from eSentire is the latest in a wave of attacks that have utilized the Gootkit malware loader to breach targets.

GootLoader is far from the only JavaScript malware targeting business professionals and law firm employees. A separate set of attacks have also entailed the use of SocGholish, which is a downloader capable of dropping more executables.

The infection chain is further significant for taking advantage of a website frequented by legal firms as a watering hole to distribute the malware.

Another standout aspect of the twin intrusion sets in the absence of ransomware deployment, instead favoring hands-on activity, suggesting that the attacks could have diversified in scope to include espionage operations.

“Prior to 2021, email was the primary infection vector used by opportunistic threat actors,” Keplinger said. From 2021 to 2023, browser-based attacks […] have steadily been growing to compete with email as the primary infection vector.”

“This has been largely thanks to GootLoader, SocGholish, SolarMarker, and recent campaigns leveraging Google Ads to float top search results.”

Found this article interesting? Follow us on

Source…

Gootloader malware gets an update with PowerShell tech • The Register

/in


The operators behind Gootloader, a crew dubbed UNC2565, have upgraded the code in cunning ways to make it more intrusive and harder to find.

Researchers with Google-owned security shop Mandiant started seeing significant changes to the Gootloader malware package – also known as Gootkit – in November 2022, including using multiple variations of FONELAUNCH, a .NET-based loader, as well as some newly developed payloads and obfuscation techniques. There are also changes in its infection chain, including a new variant called Gootloader.PowerShell.

“These changes are illustrative of UNC2565’s active development and growth in capabilities,” the researchers wrote in a report, adding that the group is the only one known to use the malware.

A Gootloader infection starts via a search engine optimization (SEO) poisoning attack, with a victim who is searching online for business-related documents, such as templates, agreements, or contracts, being lured into going to a website compromised by the criminal gang.

On the site are documents that actually are malicious ZIP archives housing malware written in JavaScript. Once the file is opened and the malware activated, more payloads like Cobalt Strike, FONELAUNCH, and SNOWCONE are added, as well as another collection of downloaders with payloads including the high-profile IcedID banking trojan.

Three months ago, Mandiant researchers began seeing the Gootloader.PowerShell variant, which includes an infection chain that that writes a second JavaScript file to the system’s disk that reaches out to 10 hard-coded URLs, with each request containing encoded data about the compromised system, such the versions of Windows it’s using, processes running and filenames.

This one isn’t stopping

Gootloader in the months since May 2021 has used three variants of FONELAUNCH – FONELAUNCH.FAX, FONELAUNCH.PHONE, and FONELAUNCH.DIALTONE.

“The evolution of FONELAUNCH variants over time has allowed…

Source…

Karakurt warning. Clipminer in the wild. GootLoader evolves. Cyber ops in Russia’s hybrid war. Russian agencies buy VPNs.

/in


Dateline Moscow, Kyiv, Washington: Gray zone operations.

Ukraine at D+98: Friction in the gray zone. (The CyberWire) Advancing into the rubble it’s created, Russia’s army tries to come to grips with combat refusals. The White House says that the cyber operations NSA Director Nakasone alluded to this week are entirely consistent with the US policy of avoiding direct combat with Russia. Observers work to understand the state of the cyber phase of the hybrid war. And Russian censorship seems to be producing friction in some Russian government operations. (That’s why agencies in Moscow are buying VPNs.)

Russia-Ukraine war: List of key events, day 99 (Al Jazeera) As the Russia-Ukraine war enters its 99th day, we take a look at the main developments.

Exclusive: Ukraine troops retreating in Donbas have a plan, Luhansk governor says (Newsweek) Serhiy Haidai told Newsweek the defenders remain defiant despite the intense Russian attacks, which included a strike on a chemical plant.

Russia-Ukraine latest news: Kyiv may switch off Europe’s largest nuclear powerplant (The Telegraph) Ukraine would consider switching off its Zaporizhzhia nuclear power plant that lies in Russian-occupied territory if Kyiv loses control of operations at the site, an aide to the prime minister has said, Interfax news agency reports.

Documents Reveal Hundreds of Russian Troops Broke Ranks Over Ukraine Orders (Wall Street Journal) Desertions and refusal to engage in the invasion have put Moscow in a bind over how to punish service members without drawing more attention to the problem. “So many people don’t want to fight.”

The Russian Military’s People Problem (Foreign Affairs) It’s hard for Moscow to win while mistreating its soldiers.

Zelensky will be tried as war criminal if Russia captures him (Newsweek) A lawmaker in the self-declared, Russia-backed Donetsk People’s Republic accused Ukraine’s president of sending “neo-Nazis to Donbas to kill civilians.”

Six lessons the Ukraine conflict has taught us about modern warfare (The Telegraph) From drones to the use of tanks, we dissect the masterstrokes and miscalculations of military tactics after three months of fighting

Some see cyberwar in Ukraine. Others see…

Source…

Multi-payload Gootloader platform stealthily delivers malware and ransomware

/in


The delivery method for the six-year-old Gootkit financial malware has been developed into a complex and stealthy delivery system for a wide range of malware, including ransomware. Sophos researchers have named the platform Gootloader. It is actively delivering malicious payloads through tightly targeted operations in the US, Germany and South Korea. Previous campaigns also targeted internet users in France.

Gootloader

The Gootloader infection chain begins with sophisticated social engineering techniques that involve hacked websites, malicious downloads, and manipulated search engine optimization (SEO). When someone types a question into a search engine such as Google, the hacked websites appear among the top results.

To ensure targets from the right geographies are captured, the adversaries rewrite website code “on the go” so that website visitors who fall outside the desired countries are shown benign web content, while those from the right location are shown a page featuring a fake discussion forum on the topic they’ve queried. The fake websites are visually identical regardless of whether they are in English, German or Korean.

The fake discussion forum includes a post from a “site administrator,” with a link to a download. The download is a malicious Javascript file that initiates the next stage of compromise.

From this point on, the attack proceeds covertly, using a wide range of complicated evasion techniques, multiple layers of obfuscation, and fileless malware that is injected into memory or the registry where conventional security scans cannot reach it. Gootloader is currently delivering Kronos financial malware in Germany, and the post-exploitation tool, Cobalt Strike, in the US and South Korea. It has also delivered REvil ransomware and the Gootkit trojan itself.

“The developers behind Gootkit appear to have shifted resources and energy from delivering just their own financial malware to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware,” said Gabor Szappanos, threat research director at Sophos. “This shows that criminals tend to reuse their proven solutions instead of developing new delivery…

Source…