"UNC2565 Threat Actors Continue to Improve the GOOTLOADER Malware"

The UNC2565 group behind the GOOTLOADER malware, also known as Gootkit, continues to develop their code by adding new components and adopting new obfuscation techniques, according to researchers at Mandiant. Gootkit uses an Access-as-a-Service (AaaS) model and is employed by various groups to drop additional malicious payloads on compromised systems. Gootkit has been observed delivering threats such as SunCrypt and REvil (Sodinokibi) ransomware, Kronos Trojans, and Cobalt Strike through fileless tactics. In the past, Gootkit spread malware disguised as freeware installers and used legal documents to deceive victims into downloading the malicious files. The attack chain begins with a user conducting a search for specific information. The attackers use Search Engine Optimization (SEO) techniques to rank a website infiltrated by Gootkit operators higher in search engine results. The victim will find, while visiting the website, that it is displayed as an online forum directly answering their query. This forum hosted a ZIP archive containing a malicious .JS file that establishes persistence and drops a Cobalt Strike binary into an infected system's memory. In November 2022, researchers at Mandiant identified a new variant of GOOTLOADER, tracked as GOOTLOADER.POWERSHELL, which uses a new infection chain. According to researchers, the new variant writes a second .JS file to disk and creates a scheduled task in order to execute it. This article continues to discuss the new variant of GOOTLOADER.

Security Affairs reports "UNC2565 Threat Actors Continue to Improve the GOOTLOADER Malware"