Gootloader Malware Platform Uses Sophisticated Techniques to Deliver Malware

Summary

Gootloader, the multi-payload malware platform, is actively targeting entities in the US, Germany, and South Korea. The infection chain begins with social engineering techniques that include manipulated search engine optimization (SEO), which brings malicious websites to the top of the results on search engine websites. This fraudulent forum website includes a link that, when clicked, initiates the download of a JavaScript file and then begins the next stages of the attack. Using fileless techniques, the malicious activity can remain undetected by the user and allow the download of additional malware, including the Kronos malware, Cobalt Strike exploitation tool, the Gootkit trojan, or Sodinokibi ransomware.

Recommendations

The NJCCIC recommends users run a security solution on their devices that can detect suspicious activity in memory and protects against fileless malware. Windows users can also turn off the “Hide Extensions for Known File Types” view setting in the Windows file explorer. Additionally, users are encouraged to verify websites prior to visiting them and refrain from downloading files or programs from untrusted or unofficial websites. For more information on the Gootloader platform and indicators of compromise, review the Sophos article and Help Net Security article.