Ethical Hacking News Hubb
Advertisement Banner
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
Wellnessnewshubb
No Result
View All Result
Home Ethical Hackers

Gootkit Malware Continues to Evolve with New Components and Obfuscations

admin by admin
January 29, 2023
in Ethical Hackers


Jan 29, 2023Ravie LakshmananCyber Threat / Malware

The threat actors associated with the Gootkit malware have made “notable changes” to their toolset, adding new components and obfuscations to their infection chains.

Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, noting that the usage of the malware is “exclusive to this group.”

Gootkit, also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning.

The purported documents take the form of ZIP archives that harbor the JavaScript malware, which, when launched, paves the way for additional payloads such as Cobalt Strike Beacon, FONELAUNCH, and SNOWCONE.

FONELAUNCH is a .NET-based loader designed to load an encoded payload into memory, and SNOWCONE is a downloader that’s tasked with retrieving next-stage payloads, typically IcedID, via HTTP.

Gootkit Malware

While the overarching goals of Gootkit have remained unchanged, the attack sequence in itself has received significant updates, wherein the JavaScript file within the ZIP archive is trojanized and contains another obfuscated JavaScript file that consequently proceeds to execute the malware.

Gootkit Malware

The new variant, which was spotted by the threat intelligence firm in November 2022, is being tracked as GOOTLOADER.POWERSHELL. It’s worth noting that the revamped infection chain was also documented by Trend Micro earlier this month, detailing Gootkit attacks targeting the Australian healthcare sector.

What’s more, the malware authors are said to have taken three different approaches to obscure Gootkit, including concealing the code within altered versions of legitimate JavaScript libraries such as jQuery, Chroma.js, and Underscore.js, in an attempt to escape detection.

It’s not just Gootkit, as three different flavors of FONELAUNCH – FONELAUNCH.FAX, FONELAUNCH.PHONE, and FONELAUNCH.DIALTONE – have been put to use by UNC2565 since May 2021 to execute DLLs, .NET binaries, and PE files, indicating that the malware arsenal is being continuously maintained and updated.

“These changes are illustrative of UNC2565’s active development and growth in capabilities,” Mandiant researchers Govand Sinjari and Andy Morales said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

Automatic SSTI Detection Tool With Interactive Interface

Next Post

How to avoid GoodWill ransomware

Next Post

How to avoid GoodWill ransomware

Recommended

What is Fog Data Science and why should you care?

3 months ago

Live Hacking Event Invitations – 2022 Guide

7 months ago

© 2022 Ethical Hacking News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Ethical Hackers
  • Contact

Newsletter Sign Up.

No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact

© 2022 Ethical Hacking News Hubb All rights reserved.