Gootkit Malware Continues to Evolve with New Components and Obfuscations

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,108
Content source
https://thehackernews.com/2023/01/gootkit-malware-continues-to-evolve.html
The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains.

Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, noting that the usage of the malware is "exclusive to this group."

Gootkit, also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning.

The purported documents take the form of ZIP archives that harbor the JavaScript malware, which, when launched, paves the way for additional payloads such as Cobalt Strike Beacon, FONELAUNCH, and SNOWCONE.

FONELAUNCH is a .NET-based loader designed to load an encoded payload into memory, whereas SNOWCONE is a downloader that's tasked with retrieving next-stage payloads, typically IcedID, via HTTP.

Gootkit Malware
Click to expand...
thehackernews.com

Gootkit Malware Continues to Evolve with New Components and Obfuscations

Gootkit malware continues to evolve and become more sophisticated, with notable changes to the toolkit, adding new components and obfuscations.
thehackernews.com thehackernews.com
 
  • Like
  • +Reputation
Reactions: vtqhtr413, Gandalf_The_Grey, upnorth and 2 others
silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,108
The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason.

The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver Cobalt Strike and SystemBC for post-exploitation.

"The threat actor displayed fast-moving behaviors, quickly heading to control the network it infected, and getting elevated privileges in less than 4 hours," Cybereason said in an analysis published February 8, 2023.
Click to expand...
thehackernews.com

Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms

Gootkit malware is now targeting healthcare and financial organizations in the US, UK and Australia by using a new method of deployment.
thehackernews.com thehackernews.com
 
  • Like
Reactions: harlan4096
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Gootkit malware abuses VLC to infect healthcare orgs with Cobalt Strike
Replies
0
Views
698
News Archive
silversurfer
silversurfer
Gandalf_The_Grey
    • Like
Malware News Bumblebee malware returns after recent law enforcement disruption
Replies
0
Views
1,079
Security News
Gandalf_The_Grey
Gandalf_The_Grey
silversurfer
    • Like
    • +Reputation
Malware News New GootLoader Malware Variant Evades Detection and Spreads Rapidly
Replies
0
Views
1,797
Security News
silversurfer
silversurfer

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top