“Gootkit” becomes “Gootloader”: Banking Trojan mutates into a complex malware platform with multiple attack vectors.
The Gootkit malware family is a well-known henchman - a Trojan that initially focuses on the theft of banking business data and today uses the Cobalt-Strike analysis tool, the Kronos banking malware and the REvil ransomware, among other things. IT security experts have already dealt intensively with the malware and, in particular, with its clever transmission mechanisms in 2020. What is new is that the attackers have expanded the malware into a multi-payload platform. With variable attack mechanisms - including social engineering - it is most active today in Germany as well as in the USA and South Korea. Due to the topicality and the platform character, the security experts at SophosLabs have given the multi-payload malware its own name: Gootloader.
Gootloaders target websites first
The Gootloader attackers hack into legitimate websites, change them subtly and also manipulate the SEO in order to display the fake websites to users as top results in their search engine queries, such as Google Search. In addition to localized fake websites, the targeted focus on certain countries even goes so far that users from “non-target countries” who end up on such a website only see random fake content and nothing else happens.
“The creators of Gootloader use a number of social engineering tricks that can fool even tech-savvy IT users. However, there are warning signs to look out for,” said Gabor Szappanos, threat research director at Sophos. “This includes Google search results pointing to websites that have no logical connection with the advice that appears to be offered. Also noticeable are tips that exactly match the search terms used in the initial question and forum-style pages.”
Actively protect against payload systems
If you also want to actively protect yourself against payload systems such as Gootloader, you can deactivate the function 'Hide extensions for known file types' in the folder options of Windows Explorer. This enables users to see that the ZIP package delivered by the attackers contains a file with a .js extension. Javascript. Files are used over and over again for hacker attacks and running such a downloaded file should always set the alarm bells ringing. In addition, script blockers such as NoScript for Firefox can provide security against such attacks, as they block the fake content of a hacked website. "
More on this at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.