An “aggressive threat actor” is targeting the finance and healthcare sectors with Gootloader malware and SEO poisoning tactics, according to the Cybereason Incident Response team. The threat level should be viewed as severe, “given the potential of the attacks.”
“The threat actor displayed fast-moving behaviors, quickly heading to control the network it infected, and getting elevated privileges in less than 4 hours,” researchers wrote.
Cybereason investigated a successful incident in December that used new deployments of Gootloader, which revealed a number of concerning tactics, including the SEO poisoning techniques to lure victims into downloading malicious payloads. These methods have been used in other recent attacks, spotlighting the possibility of an ongoing campaign.
The attack analysis confirmed multiple layers of obfuscation and the “existence of multiple JavaScript loops that makes the execution longer, probably acting as an anti-sandbox mechanism.”
Gootloader is a highly evasive variant that masquerades with legitimate JavaScript code to hide from traditional security mechanisms. Beginning as a trojan in 2014, the actors transitioned to a malware loader in 2021, adding the Gootloader name. Mandiant has given the operators the name UNC2565, while Sophos first dubbed the variant "Gootloader."
“The actors create websites or populate web forums or similar websites with specific keywords and links, leading to a website hosting the infected file,” researchers wrote....
Read Full Story: https://news.google.com/rss/articles/CBMidmh0dHBzOi8vd3d3LnNjbWFnYXppbmUuY29tL2FuYWx5c2lzL21hbHdhcmUvZ29vdGxvYWRlci1tYWx3YXJlLXNlby1wb2lzb25pbmctdGFyZ2V0cy1oZWFsdGhjYXJlLWluLWFnZ3Jlc3NpdmUtY2FtcGFpZ27SAQA?oc=5
Your content is great. However, if any of the content contained herein violates any rights of yours, including those of copyright, please contact us immediately by e-mail at media[@]kissrpr.com.
