January 29, 2023Rabbi LakshmananCyber ​​Threat/Malware

Actors associated with the Gootkit malware have made “significant changes” to their toolset, adding new components and obfuscations to their infection chain.

Mandiant, owned by Google, monitoring Activity cluster under the moniker UNC2565note that the use of malware is “only for this group”.

Gootkit, also known as Gootloader, uses a technique known as search engine optimization (SEO) poisoning to trick victims into visiting them while searching for business-related documents such as contracts and agreements. spread through compromised websites.

The suspicious document comes in the form of a ZIP archive containing JavaScript malware that, when launched, paves the way for additional payloads such as Cobalt Strike Beacon, FONELAUNCH, and SNOWCONE.

FONELAUNCH is a .NET-based loader designed to load encoded payloads into memory, and SNOWCONE is a downloader that performs the task of retrieving the next-stage payload (usually IcedID) over HTTP. .

Gootkit malware

While Gootkit’s overarching goals have not changed, the attack sequence itself has been significantly updated, including trojanizing a JavaScript file in a ZIP archive and including another obfuscated JavaScript file. resulting in malware execution.

Gootkit malware

A new variant discovered by a threat intelligence firm in November 2022 is tracked as GOOTLOADER.POWERSHELL. It is worth noting that the improved infection chain was documented by Trend Micro earlier this month, detailing a Gootkit attack targeting the Australian healthcare sector.

Additionally, malware authors use three different approaches to hide Gootkits, including hiding the code within modified versions of legitimate JavaScript libraries such as jQuery, Chroma.js, and Underscore.js to evade detection. is said to have taken

Gootkit is not alone. Three different flavors of FONELAUNCH, FONELAUNCH.FAX, FONELAUNCH.PHONE and FONELAUNCH.DIALTONE, will be used by UNC2565 to execute DLLs, .NET binaries and PE files from May 2021. I was. The malware arsenal is continuously maintained and updated.

“These changes demonstrate the active development and feature growth of UNC2565,” said Mandiant researchers Govand Sinjari and Andy Morales.

Did you find this article interesting?Please follow us twitter When LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog