Gootkit malware returns to life alongside REvil ransomware


Level 76
Content Creator
Malware Hunter
Aug 17, 2014
After a year-long vacation, the Gootkit information-stealing Trojan has returned to life alongside REvil Ransomware in a new campaign targeting Germany.
The Gootkit Trojan is Javascript-based malware that performs various malicious activities, including remote access for threat actors, keystroke capturing, video recording, email theft, password theft, and the ability to inject malicious scripts to steal online banking credentials.

Last week, a security researcher known as The Analyst told BleepingComputer that the Gootkit malware had emerged again in attacks targeting Germany.
In this new malicious campaign, threat actors are hacking WordPress sites and utilizing SEO poisoning to display fake forum posts to visitors. These posts pretend to be a question and answers with a link to fake forms or downloads. When the user clicks on the link, they will download a ZIP file containing an obfuscated JS file that will install either the Gootkit malware or the REvil ransomware.
In a new report released today, Malwarebytes' researchers explain that the malicious JavaScript payloads will perform fileless attacks of either Gootkit or REvil.
When launched, the JavaScript script will connect to its command and control server and downloads another script that contains the malicious malware payload.
In Malwarebytes' analysis, this payload is usually Gootkit, but it was also REvil ransomware in some cases.
"After conversion to ASCII, the next JavaScript is revealed, and the code is executed. This JavaScript comes with an embedded PE payload which may be either a loader for Gootkit, or for the REvil ransomware. There are also some differences in the algorithm used to deobfuscate it," Malwarebytes stated in their report.
Last edited: