Investigating the Gootkit Loader

Since October 2020, we saw an increase in the number of Gootkit cases targeting users in Germany. We investigated this development and found that the Gootkit loader was now capable of sophisticated behavior that enabled it to surreptitiously load itself onto an affected system and make analysis and detection more difficult.

This capability was used to deploy a DLL file. Gootkit has, in the past, been tied to Cobalt Strike as well as other ransomware attacks. Some of these recent victims later suffered SunCrypt ransomware attacks, although it is unclear if this was because of the Gootkit threat actor or if access was sold to other threat actors. We’ve also discovered in recent weeks that the Gootkit loader is being used in combination with REvil/Sodinokibi ransomware.

Read more…
Source: Trend Micro