Feb 09, 2023Ravie LakshmananThreat Intelligence / Malware
The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason.
The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver Cobalt Strike and SystemBC for post-exploitation.
“The threat actor displayed fast-moving behaviors, quickly heading to control the network it infected, and getting elevated privileges in less than 4 hours,” Cybereason said in an analysis published February 8, 2023.
Gootkit, also called Gootloader, is exclusively attributed to a threat actor tracked by Mandiant as UNC2565. Starting its life in 2014 as a banking trojan, the malware has since morphed into a loader capable of delivering next-stage payloads.
The attack chain relies on luring victims searching for agreements and contracts on DuckDuckGo and Google to the booby-trapped web page, ultimately leading to the deployment of Gootloader.
The disclosure comes amid the ongoing trend of abusing Google Ads by malware operators as an intrusion vector to distribute a variety of malware such as FormBook, IcedID, RedLine, Rhadamanthys, and Vidar.
The evolution of Gootloader into a sophisticated loader is further reflective of how threat actors are constantly seeking new targets and methods to maximize their profits by pivoting to a malware-as-a-service (MaaS) model and selling that access to other criminals.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.