Gootloader is the name given to the newly expanded delivery system employed by Gootkit RAT, a notorious banking Trojan that focuses on stealing banking credential.

While Gootkit was first documented in 2014, the JavaScript-based malware platform is fully capable of carrying out covert activities, ranging from capturing keystrokes to taking screenshots, web injection, recording videos, and also password theft.

According to Sophos, it thrives on the malware delivery method pioneered by the threat actors behind the REvil ransomware, which infection mechanism involves JavaScript-based framework that delivers a variety of payloads, including ransomware, filelessly.

How Gootloader expands its payload delivery systems



Gootloader employs a rather malicious SEO techniques to trick Google in order to alter search results, which search engine deoptimization serves as the first phase of the attack.



This is possible given that the operators of Gootloader maintain a network of servers hosting compromised legitimate websites, ostensibly belonging to legitimate business. And if visitors click on the link in the search result, they’re presented with a different site, which is a specific page that seems to answer their exact search question, using the same wording as the search query.

The visitor on clicking the “direct download link” on the page, downloads a .zip archive file with a filename that matches the search query used in the initial search, which contains another file that is named in precisely the same way. The JavaScript file is the initial infector, and serves as the only stage of the infection at which a malicious file is written to the filesystem.

And after the target double-clicks this script, it runs entirely in memory, out of the reach of traditional endpoint protection tools.

What's Gootloader Mode of Operations?



How the operators of Gootloader gain access to these websites to serve the malicious injects remains unclear, but Sophos researchers suspect the attackers may have obtained the secret login details by installing the Gootkit malware or by the purchase of stolen credentials from underground markets.

Furthermore, the criminals tend to reuse their proven techniques instead of developing new mechanisms, rather than actively attacking endpoint tools like other malware distributors, the creators of Gootloader opt for evasive techniques that conceal the end result.

Gootloader spreading via malicious ZIP files on compromised sites

Gootloader is the name given to the newly expanded delivery system employed by Gootkit RAT, a notorious banking Trojan that focuses on stealing banking credential.

While Gootkit was first documented in 2014, the JavaScript-based malware platform is fully capable of carrying out covert activities, ranging from capturing keystrokes to taking screenshots, web injection, recording videos, and also password theft.

According to Sophos, it thrives on the malware delivery method pioneered by the threat actors behind the REvil ransomware, which infection mechanism involves JavaScript-based framework that delivers a variety of payloads, including ransomware, filelessly.

How Gootloader expands its payload delivery systems



Gootloader employs a rather malicious SEO techniques to trick Google in order to alter search results, which search engine deoptimization serves as the first phase of the attack.



This is possible given that the operators of Gootloader maintain a network of servers hosting compromised legitimate websites, ostensibly belonging to legitimate business. And if visitors click on the link in the search result, they’re presented with a different site, which is a specific page that seems to answer their exact search question, using the same wording as the search query.

The visitor on clicking the “direct download link” on the page, downloads a .zip archive file with a filename that matches the search query used in the initial search, which contains another file that is named in precisely the same way. The JavaScript file is the initial infector, and serves as the only stage of the infection at which a malicious file is written to the filesystem.

And after the target double-clicks this script, it runs entirely in memory, out of the reach of traditional endpoint protection tools.

What's Gootloader Mode of Operations?



How the operators of Gootloader gain access to these websites to serve the malicious injects remains unclear, but Sophos researchers suspect the attackers may have obtained the secret login details by installing the Gootkit malware or by the purchase of stolen credentials from underground markets.

Furthermore, the criminals tend to reuse their proven techniques instead of developing new mechanisms, rather than actively attacking endpoint tools like other malware distributors, the creators of Gootloader opt for evasive techniques that conceal the end result.

No comments