Once used exclusively by the cybercriminals behind REVil ransomware and the Gootkit banking trojan, GootLoader and its primary payload have evolved into an initial access as a service platform—with Gootkit providing information stealing capabilities as well as the capability to deploy post-exploitation tools and ransomware.
GootLoader is known for using search engine optimization (SEO) poisoning for its initial access. Victims are often enticed into clicking on malicious adware or links disguised as legitimate marketing, or in this case a legitimate Google search directing the user to a compromised website hosting a malicious payload masquerading as the desired file. If the malware remains undetected on the victim’s machine, it makes way for a second-stage payload known as GootKit, which is a highly evasive info stealer and remote access Trojan (RAT) used to establish a persistent foothold in the victim’s network environment.
Read more…
Source: Sophos
Related:
- Critical RCE Vulnerability Found in Cisco WebEx Extensions, Again — Patch Now!
July 17, 2017
A highly critical vulnerability has been discovered in the Cisco Systems’ WebEx browser extension for Chrome and Firefox, for the second time in this year, which could allow attackers to remotely execute malicious code on a victim’s computer. Cisco WebEx is a popular communication tool for online events, including meetings, webinars and video conferences that help ...
- NSA Advocates Data Sharing Framework
June 23, 2017
The economics of cybersecurity are skewed in favor of attackers, who invest once and can launch thousands of attacks with a piece of malware or exploit kit. That’s why Neal Ziring, technical director for the NSA’s Capabilities Directorate, wants to flip the financial equation on bad guys. “We need to conduct defenses in a way that ...