The creators of the Gootkit access-as-a-service (AaaS) malware have reemerged with updated methodologies in order to compromise unwary victims. Before this, Gootkit was well-known for using many attack routes to infect its victims, allowing the virus to infect devices with outdated operating systems.
“In the past, Gootkit used freeware installers to mask malicious files; now it uses legal documents to trick users into downloading these files,” Trend Micro researchers Buddy Tancio and Jed Valderama said in a report published last week.
The discoveries add to a prior report by eSentire, which warned in January of extensive attempts intended to infect computers with malware by targeting staff of accounting and legal companies. Gootkit is a component of the expanding underground access broker ecosystem, which is renowned for selling access to other bad actors so they may get access to corporate networks and launch devastating attacks like ransomware.
The loader lures unwary users into visiting hijacked websites hosting malware-laced ZIP package files ostensibly connected to disclosure agreements for real estate transactions using fraudulent search engine results, a tactic known as SEO poisoning. The researchers noted that the confluence of SEO poisoning and hacked trustworthy websites might obscure signs of harmful behavior that would ordinarily alert visitors to their presence.
Cobalt Strike is a program used for post-exploitation operations that run directly in the memory filelessly and is loaded via a JavaScript file in the ZIP file. According to the researchers, Gootkit is still operational and developing its methods. This suggests that the operation was successful because additional threat actors still seem to be using it.
