A framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads.
“The Gootkit malware family has been around more than half a decade – a mature Trojan with functionality centered around banking credential theft,” Sophos researchers Gabor Szappanos and Andrew Brandt said in a write-up published today.
“In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself.”
Dubbed “Gootloader,” the expanded malware delivery system comes amid a surge in the number of infections targeting users in France, Germany, South Korea, and the U.S.
First documented in 2014, Gootkit is a Javascript-based malware platform capable of carrying out an array of covert activities, including web injection, capturing keystrokes, taking screenshots, recording videos, as well as email and password theft.
Over the years, the cybercrime tool has evolved to gain new information-stealing features, with the Gootkit loader repurposed in combination with REvil/Sodinokibi ransomware infections reported last year.
While campaigns using social engineering tricks to deliver malicious payloads are a dime a dozen, Gootloader takes it to the next level.
The infection chain resorts to sophisticated techniques that involve hosting malicious ZIP archive files on websites belonging to legitimate businesses that have been gamed to appear among the top results of a search query using manipulated search engine optimization (SEO) methods.
What’s more, the search engine results point to websites that have no “logical” connection to the search query, implying that the attackers must be in possession of a vast network of hacked websites. In one case spotted by the researchers, an advice for a real estate agreement surfaced a breached neonatal medical practice based in Canada as the first result.
“To ensure targets from the right geographies are captured, the adversaries rewrite website code ‘on the go’ so that website visitors who fall outside the desired countries are shown benign web content, while those from the right location are shown a page featuring a fake discussion forum on the topic they’ve queried,” the researchers said.
Clicking the search result takes the user to a fake message board-like page that matches not only the search terms used in the initial query but also includes a link to the ZIP file, which contains a heavily obfuscated Javascript file that initiates the next stage of compromise to inject the fileless malware fetched from a remote server into memory.
This takes the form of a multi-stage evasive approach that begins with a .NET loader, which comprises a Delphi-based loader malware, which, in turn, contains the final payload in encrypted form.
In addition to delivering the REvil ransomware and the Gootkit trojan, multiple campaigns have been spotted currently leveraging the Gootloader framework to deliver the Kronos financial malware in Germany stealthily, and the Cobalt Strike post-exploitation tool in the U.S.
It’s still unclear as to how the operators gain access to the websites to serve the malicious injects, but the researchers suspect the attackers may have obtained the passwords by installing the Gootkit malware or purchasing stolen credentials from underground markets, or by leveraging security flaws in present in the plugins used alongside content management system (CMS) software.
“The developers behind Gootkit appear to have shifted resources and energy from delivering just their own financial malware to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware,” said Gabor Szappanos, threat research director at Sophos.
“This shows that criminals tend to reuse their proven solutions instead of developing new delivery mechanisms. Further, instead of actively attacking endpoint tools as some malware distributors do, the creators of Gootloader have opted for convoluted evasive techniques that conceal the end result,” he added.