![]() ![]() Indeed, the operators had tweaked the odds in their favor by using Search Engine Optimization (SEO) poisoning to make this website rank high in the search results, leading the user to visit the compromised website. A website compromised by Gootkit operators was among the results, meaning that the user did not open this compromised website by chance. In this case, the user had searched for the keywords “disclosure agreement real estate transaction”. It begins with a user searching for specific information in a search engine. It can therefore be used by different groups to conduct their attacks, making it worth monitoring to prevent bigger threats from successfully entering a system.įigure 1 illustrates its infection routine. Having been associated with a variety of payloads, we can assume that Gootkit runs on an access-a-as-a-service model. While it has kept much the same behavior as that in our previous report, updates reveal its continuing activity and development nearly two years later. ![]() In 2020, we reported on Gootkit capabilities. Gootkit has been known to use fileless techniques to deliver noteworthy threats such as the SunCrypt, and REvil (Sodinokibi) ransomware, Kronos trojans, and Cobalt Strike. We uncovered this tactic through managed extended detection and response (MxDR) and by investigating a flag for a PowerShell script that allowed us to stop it from causing any damage and dropping its payload. In the past, Gootkit used freeware installers to mask malicious files now it uses legal documents to trick users into downloading these files. Our in-depth analysis of what began as an unusual PowerShell script revealed intrusion sets associated with Gootkit loader. ![]()
0 Comments
Leave a Reply. |