Gootkit RAT uses SEO to spread malware through compromised sites

A framework notorious for delivering a banking trojan has been given a facelift to deploy a wider range of malware, including ransomware payloads.

“The Gootkit malware family has been around for over half a year – a mature Trojan horse with functionality aimed at banking data theft,” said Sophos researchers Gabor Szappanos and Andrew Brandt in an article published today.

First documented in 2014, Gootkit is a JavaScript-based malware platform capable of performing a range of secret activities, including web injection, keystroke capture, screenshots, video recording, and email and password stealing.

Over the years, the cybercrime tool has evolved with new information-stealing features, reusing the Gootkit loader in conjunction with REvil / Sodinokibi ransomware infections reported last year.

While campaigns that use social engineering tricks to deliver malicious payloads are a dime in a dozen, Gootloader takes this to the next level.

The chain of infection uses advanced techniques where malicious ZIP archive files are hosted on legitimate company websites that have been manipulated to appear at the top of a search query using manipulated search engine optimization (SEO) methods.

Clicking on the search result takes the user to a fake pinboard-like page that not only matches the search terms used in the original search, but also contains a link to the ZIP file, which contains a highly obfuscated Javascript file that the next stage of the compromise to inject the fileless malware retrieved from a remote server into memory.

In addition to delivering the REvil ransomware and Gootkit trojan, multiple campaigns have been spotted currently using the Gootloader framework to secretly deliver Kronos financial malware in Germany and the post-exploitation tool Cobalt Strike in the US.

It is still unclear how the operators accessed the websites to perform the malicious injections, but the researchers suspect that the attackers obtained the passwords by installing the Gootkit malware or by purchasing stolen credentials from underground markets. or by exploiting security vulnerabilities in the plug-ins used. in addition to software for content management systems (CMS).

“This shows that criminals tend to reuse their proven solutions instead of developing new delivery mechanisms. In addition, instead of actively attacking endpoint tools like some malware distributors do, the makers of Gootloader have opted for complicated evasion techniques that disguise the end result, ”he added.

Disclaimer: If you need to edit or update this news from compsmag then kindly contact us Learn more