The operators behind Gootloader, a crew dubbed UNC2565, have upgraded the code in cunning ways to make it more intrusive and harder to find.
Researchers with Google-owned security shop Mandiant started seeing significant changes to the Gootloader malware package – also known as Gootkit – in November 2022, including using multiple variations of FONELAUNCH, a .NET-based loader, as well as some newly developed payloads and obfuscation techniques. There are also changes in its infection chain, including a new variant called Gootloader.PowerShell.
"These changes are illustrative of UNC2565's active development and growth in capabilities," the researchers wrote in a report, adding that the group is the only one known to use the malware.
A Gootloader infection starts via a search engine optimization (SEO) poisoning attack, with a victim who is searching online for business-related documents, such as templates, agreements, or contracts, being lured into going to a website compromised by the criminal gang.
On the site are documents that actually are malicious ZIP archives housing malware written in JavaScript. Once the file file is pened and the malware activated, more payloads like Cobalt Strike, FONELAUNCH, and SNOWCONE are added, as well as another collection of downloaders with payloads including the high-profile IcedID banking trojan.
Three months ago, Mandiant researchers began seeing the Gootloader.PowerShell variant, which includes an infection chain that that writes a...
Read Full Story: https://news.google.com/__i/rss/rd/articles/CBMiQ2h0dHBzOi8vd3d3LnRoZXJlZ2lzdGVyLmNvbS8yMDIzLzAxLzMwL2dvb3Rsb2FkZXJfbWFuZGlhbnRfbWFsd2FyZS_SAUdodHRwczovL3d3dy50aGVyZWdpc3Rlci5jb20vQU1QLzIwMjMvMDEvMzAvZ29vdGxvYWRlcl9tYW5kaWFudF9tYWx3YXJlLw?oc=5
Your content is great. However, if any of the content contained herein violates any rights of yours, including those of copyright, please contact us immediately by e-mail at media[@]kissrpr.com.
