Aug 02 2022

Gootkit AaaS malware is still active and uses updated tactics

Category: MalwareDISC @ 8:47 am

Gootkit access-as-a-service (AaaS) malware is back with tactics and fileless delivery of Cobalt Strike beacons.

Gootkit runs on anĀ access-a-as-a-serviceĀ model, it is used by different groups to drop additional malicious payloads on the compromised systems. Gootkit has been known to use fileless techniques to deliver threats such as theĀ SunCrypt, andĀ REvilĀ (Sodinokibi) ransomware,Ā KronosĀ trojans, and Cobalt Strike.

In the past, Gootkit distributed malware masquerading as freeware installers, now it uses legal documents to trick users into downloading these files. 

The attack chain starts with a user searching for specific information in a search engine. Attackers use black SEO technique to display a website compromised by Gootkit operators among the results.

Upon visiting the website, the victim will notice that it is presented as an online forum directly answering his query. This forum hosted a ZIP archive that contains the malicious .js file, which is used to establish persistence and drop a Cobalt Strike binary in the memory of the infected system.

ā€œWhen the user downloaded and opened this file, it spawned an obfuscated script which, through registry stuffing, installed a chunk of encrypted codes in the registry and added scheduled tasks for persistence. The encrypted code in the registry was then reflectively loaded through PowerShell to reconstruct a Cobalt Strike binary that runs directly in the memory filelessly.ā€ reads theĀ analysisĀ published by Trend Micro. ā€œMuch of what we have just described is still in line with the behavior we reported in 2020, but with a few minor updates. This indicates that Gootkit Loader is still actively being developed and has proved successful in compromising unsuspecting victims.ā€

Experts pointed out that encrypted registries now use custom text replacement algorithm instead of base64 encoding.

gootkit malware

The Cobalt Strike binary loaded directly to the memory of the victimā€™s system has been observed connecting to the IP address 89[.]238[.]185[.]13, which is a Cobalt Strike C2. 

ā€œOne key takeaway from this case is that Gootkit is still active and improving its techniques. This implies that this operation has proven effective, as other threat actors seem to continue using it. Users are likely to encounter Gootkit in other campaigns in the future, and it is likely that it will use new means of trapping victims.ā€ concludes the report. ā€œThis threat also shows that SEO poisoning remains an effective tactic in luring unsuspecting users. The combination of SEO poisoning and compromised legitimate websites can mask indicators of malicious activity that would usually keep users on their guard. Such tactics highlight the importance of user awareness and the responsibility of website owners in keeping their cyberspaces safe.ā€Ā 

Tags: Gootkit AaaS