A framework notorious for delivering a banking trojan has been given a facelift to deploy a wider range of malware, including ransomware payloads.
“The Gootkit malware family has been around for over half a year – a mature Trojan horse with functionality aimed at banking data theft,” said Sophos researchers Gabor Szappanos and Andrew Brandt in an article published today.
Over the years, the cybercrime tool has evolved with new information-stealing features, reusing the Gootkit loader in conjunction with REvil / Sodinokibi ransomware infections reported last year.
While campaigns that use social engineering tricks to deliver malicious payloads are a dime in a dozen, Gootloader takes this to the next level.
The chain of infection uses advanced techniques where malicious ZIP archive files are hosted on legitimate company websites that have been manipulated to appear at the top of a search query using manipulated search engine optimization (SEO) methods.
In addition to delivering the REvil ransomware and Gootkit trojan, multiple campaigns have been spotted currently using the Gootloader framework to secretly deliver Kronos financial malware in Germany and the post-exploitation tool Cobalt Strike in the US.
It is still unclear how the operators accessed the websites to perform the malicious injections, but the researchers suspect that the attackers obtained the passwords by installing the Gootkit malware or by purchasing stolen credentials from underground markets. or by exploiting security vulnerabilities in the plug-ins used. in addition to software for content management systems (CMS).
“This shows that criminals tend to reuse their proven solutions instead of developing new delivery mechanisms. In addition, instead of actively attacking endpoint tools like some malware distributors do, the makers of Gootloader have opted for complicated evasion techniques that disguise the end result, ”he added.