Malware campaign: Kronos and GootKit target users from Germany. With "Kronos" and "Gootkit", two well-known malware programs come into play again. The malware is spread via manipulated search engine results.
The current wave began to roll on Thursday. Users from Germany in particular seem to be the focus of the attackers. Numerous compromised websites ensured a wide distribution. One of two malware programs is installed: either Gootkit or Kronos. Both malware programs are banking Trojans.
"Banking Trojans are anything but yesterday's news," says Tim Berghoff, Security Evangelist at G DATA CyberDefense. "The distribution of malicious programs via manipulated search results proves once again that the age of an attack method does not mean that it is obsolete."
Gozi is hiding in the registry
Both malicious programs are loaded onto a system using a so-called "loader" known as "Gozi". This loader is also an old acquaintance – another ransomware called Sodinokibi was previously distributed with this loader (Karsten Hahn also wrote a blog article about Sodinokibi). What makes the Gozi loader special is not only that it currently distributes a different type of malware than usual, Kronos. This loader also hides itself particularly well from access by security programs by not storing the entire malicious code as a file on the PC, but storing it in the system database (the "registry"). G DATA customers are protected by various proactive technologies such as BEAST and DeepRay.
Poisoned search engines
By manipulating search engine results, the compromised websites also slide up in Google searches and are therefore clicked on more often. This manipulation takes place, among other things, by embedding key words and by linking them to other websites. For search engines, relevant keywords and dense links mean that the respective page is relevant and therefore places it higher in the hit list. The result is even more infections. This technique is called “Search Engine Poisoning” (German: “Search engine poisoning”). This positions the pages higher in the hit list, whereas the legitimate websites, which are more likely to be clicked under normal circumstances, slide further down.
More on this at GData.de
About G Data With comprehensive cyber defense services, the inventor of the anti-virus enables companies to defend themselves against cybercrime. Over 500 employees ensure the digital security of companies and users. Made in Germany: With over 30 years of expertise in malware analysis, G DATA conducts research and software development exclusively in Germany. The highest standards of data protection are paramount. In 2011, G DATA issued a “no backdoor” guarantee with the “IT Security Made in Germany” seal of trust from TeleTrust eV. G DATA offers a portfolio from anti-virus and endpoint protection to penetration tests and incident response to forensic analyzes, security status checks and cyber awareness training to defend companies effectively. New technologies such as DeepRay use artificial intelligence to protect against malware. Service and support are part of the G DATA campus in Bochum. G DATA solutions are available in 90 countries and have received numerous awards.