Gootkit delivery platform Gootloader used to deliver additional payloads

The Javascript-based infection framework for the Gootkit RAT was enhanced to deliver a wider variety of malware, including ransomware.

Experts from Sophos documented the evolution of the “Gootloader,” the framework used for delivering the Gootkit RAT banking Trojan. The framework was improved to deploy a wider range of malware, including ransomware payloads.

“In recent years, almost as much effort has gone into improvement of its delivery method as has gone into the NodeJS-based malware itself.” reads the analysis published by researchers Gabor Szappanos and Andrew Brandt from Sophos.

“In addition to the REvil and Gootkit payloads, Gootloader has been used most recently to deliver the Kronos trojan and Cobalt Strike. In its latest attempts to evade detection by endpoint security tools, Gootloader has moved as much of its infection infrastructure to a “fileless” methodology as possible.”

The Gootkit delivery platform was used by multiple threat actors to deliver ransomware and other malware, including the REvil ransomware, the Kronos trojan, and Cobalt Strike.

Recently Gootloader attempted to evade detection has started using “fileless” methodology.

Telemetry reveals that crooks are using this technique to spread multiple payloads in South Korea, Germany, France, and across North America.

The framework uses black search engine optimization (SEO) techniques to poison Google search results and spread links pointing to the malware.

When the visitor clicks on the link provided by the search engine, they are redirected to landing pages that answer their exact questions, using the same wording as the search query.

“And if that same site visitor clicks the “direct download link” provided on this page, they receive a .zip archive file with a filename that exactly matches the search query terms used in the initial search, which itself contains another file named in precisely the same way.” continues the analysis. “This .js file is the initial infector, and the only stage of the infection at which a malicious file is written to the filesystem. Everything that happens after the target double-clicks this script runs entirely in memory, out of the reach of traditional endpoint protection tools.”

Many of the hacked sites employed in the attacks observed by Sophos were serving the fake message board and were running a well-known CMS. It isn’t clear how the attackers gain access to the backend of these sites, but experts speculate the compromises may be the result of any of attacks based on sites’ passwords obtained though the Gootkit malware, or from past data breaches, or by leveraging security exploits in the plugins or add-ons.

Gootloader infection process is multi-stage, it begins with a .NET loader, which comprises a Delphi-based loader malware, which, in turn, contains the final payload in encrypted form.

“The developers behind Gootkit appear to have shifted resources and energy from delivering just their own financial malware to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware,” conclude the experts. “This shows that criminals tend to reuse their proven solutions instead of developing new delivery mechanisms. Further, instead of actively attacking endpoint tools as some malware distributors do, the creators of Gootloader have opted for convoluted evasive techniques that conceal the end result,”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GootKit)

[adrotate banner=”5″]

[adrotate banner=”13″]