Recent investigations by Cybereason have revealed that the Gootkit malware, also known as Gootloader, is primarily targeting healthcare and financial entities across the United States, United Kingdom, and Australia. These findings shed light on the evolving threat landscape, emphasizing the need for heightened vigilance in these sectors.
In a December 2022 cybersecurity incident, Cybereason noted a new deployment method employed by threat actors. They leveraged existing access points to deploy tools such as Cobalt Strike and SystemBC for post-exploitation activities. The cybercriminals demonstrated rapid operational capabilities, achieving control over the compromised network and escalating privileges in less than four hours.
According to their analysis published on February 8, 2023, Cybereason emphasized the aggressive approach of the attackers as they quickly secured heightened privileges within the victim’s network. Gootkit’s journey began as a banking trojan in 2014 and has evolved into a sophisticated loader, delivering subsequent payloads with alarming efficiency.
This transformation was initially reported by Sophos in March 2021, highlighting Gootloader’s use of heavily obfuscated JavaScript files. These files are distributed through compromised WordPress sites, which are artificially ranked higher on search engines through poisoning techniques. Victims searching for contracts or agreements on search engines like DuckDuckGo and Google may inadvertently find themselves on malicious web pages, ultimately leading to Gootloader’s installation.
The current tactics are especially noteworthy as they involve disguising malicious code within legitimate JavaScript libraries, including jQuery, Chroma.js, Sizzle.js, and Underscore.js. This method enables the delivery of a secondary 40 MB JavaScript payload that establishes persistence and initiates the installation of the malware.
In the incident examined by Cybereason, Gootloader not only facilitated an initial attack but also cleared the way for further actions, including lateral movement and potential data exfiltration through the deployment of Cobalt Strike and SystemBC. Fortunately, this ongoing attack was ultimately thwarted.
This incident aligns with a broader trend of cybercriminals utilizing Google Ads and other online platforms as vectors for malware distribution. As the Gootkit case illustrates, threat actors are increasingly refocusing their efforts on malware-as-a-service (MaaS) models, adapting their tactics to exploit new vulnerabilities and maximize profits.
