Sunday, January 29, 2023
HomeCyber SecurityGootkit Malware Continues to Evolve with New Parts and Obfuscations

Gootkit Malware Continues to Evolve with New Parts and Obfuscations


Jan 29, 2023Ravie LakshmananCyber Menace / Malware

The menace actors related to the Gootkit malware have made “notable modifications” to their toolset, including new elements and obfuscations to their an infection chains.

Google-owned Mandiant is monitoring the exercise cluster beneath the moniker UNC2565, noting that the utilization of the malware is “unique to this group.”

Gootkit, additionally known as Gootloader, is unfold by compromised web sites that victims are tricked into visiting when trying to find business-related paperwork like agreements and contracts by way of a way known as search engine marketing (search engine optimization) poisoning.

The purported paperwork take the type of ZIP archives that harbor the JavaScript malware, which, when launched, paves the best way for added payloads equivalent to Cobalt Strike Beacon, FONELAUNCH, and SNOWCONE.

FONELAUNCH is a .NET-based loader designed to load an encoded payload into reminiscence, and SNOWCONE is a downloader that is tasked with retrieving next-stage payloads, usually IcedID, by way of HTTP.

Gootkit Malware

Whereas the overarching objectives of Gootkit have remained unchanged, the assault sequence in itself has acquired important updates, whereby the JavaScript file throughout the ZIP archive is trojanized and comprises one other obfuscated JavaScript file that consequently proceeds to execute the malware.

Gootkit Malware

The brand new variant, which was noticed by the menace intelligence agency in November 2022, is being tracked as GOOTLOADER.POWERSHELL. It is price noting that the revamped an infection chain was additionally documented by Development Micro earlier this month, detailing Gootkit assaults concentrating on the Australian healthcare sector.

What’s extra, the malware authors are mentioned to have taken three completely different approaches to obscure Gootkit, together with concealing the code inside altered variations of respectable JavaScript libraries equivalent to jQuery, Chroma.js, and Underscore.js, in an try to flee detection.

It isn’t simply Gootkit, as three completely different flavors of FONELAUNCH – FONELAUNCH.FAX, FONELAUNCH.PHONE, and FONELAUNCH.DIALTONE – have been put to make use of by UNC2565 since Might 2021 to execute DLLs, .NET binaries, and PE information, indicating that the malware arsenal is being constantly maintained and up to date.

“These modifications are illustrative of UNC2565’s energetic growth and progress in capabilities,” Mandiant researchers Govand Sinjari and Andy Morales mentioned.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments