New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms

Gootkit, also known as GootLoader, has been seen used in targeted attacks against healthcare and financial organizations in the US, UK, and Australia, according to a recent report from Cybereason. Gootkit was first discovered in 2014 as a banking Trojan, but since 2021 has acted as a malware loader instead.

The Gootkit infection starts with SEO poisoning and malicious Google ads, tricking a user into thinking they are visiting a piece of software’s legitimate website when in reality they are visiting a malicious one. Once the Gootkit payload has been executed, malicious JavaScript is executed that establishes persistence on the device and launches the main loader malware. This JavaScript is notable because the malicious code is hidden within legitimate JavaScript libraries such as jQuery, Chroma.js, and Underscore.js. Once the malware has been executed, Gootkit was seen loading both Cobalt Strike and SystemBC to allow the threat actor to escalate privileges and laterally move within the infected network.

These attacks are notable in how aggressive the threat actors were in attempting to compromise the entire network. Additional network compromise and privilege escalation were achieved in less than four hours from the original Gootkit infection, leading to a very quick compromise of the entire environment.

Analyst Notes

Infections via malicious Google ads has become increasingly utilized by threat actors in recent months, indicating the popularity of such a tactic gaining traction. It is recommended to install an ad blocker on web browsers, as this can help prevent these malicious Google ads from being served. This can help prevent an unsuspecting user from accidentally visiting the malicious website instead of the legitimate one. In cases where a masquerading malware such as Gootkit is downloaded, it is highly recommended to make sure proper endpoint security controls are installed on all devices within an organization. This can help prevent the malware from infecting the system in the first place. In cases where prevention does not occur, detection can be used to help alert the organization to a possible infection. The Gootkit infection and subsequent network compromise steps exhibit behavior that can be considered abnormal on normal systems. This includes behaviors such as wscript.exe creating a scheduled task, wscript.exe launching powershell.exe, powershell.exe communicating to unknown remote IP addresses, and PSExec being utilized to access a remote system. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with these types of detection needs.

https://thehackernews.com/2023/02/gootkit-malware-adopts-new-tactics-to.html

https://www.cybereason.com/blog/threat-alert-gootloader-seo-poisoning-and-large-payloads-leading-to-compromise