"A Security Team Is Turning This Malware Gang's Tricks Against It"

The attacks and operations of specific cybercriminal groups, such as ransomware gangs, botnet operators, and financial fraudsters, receive special attention. However, the larger ecosystem behind digital crime has various malicious actors and organizations that sell support services to cybercriminal customers. Researchers from the security company eSentire are disclosing their methods for disrupting the operations of a long-standing criminal group composed of businesses and other organizations, selling digital access to other attackers. Known as an initial-access-as-a-service operation, the Gootloader malware and the group behind it have been active for years. The Gootloader gang infects victim organizations and then sells access to deliver a customer's desired malware into the compromised target network, be it ransomware, data exfiltration mechanisms, or other tools to further compromise the target. The eSentire researchers gathered evidence that, between 2019 and 2022, the notorious Russia-based ransomware gang REvil regularly collaborated with Gootloader to get initial access to victims, a relationship that other researchers have also observed. They did this by tracking Gootloader page data. Joe Stewart, the principal security researcher at eSentire, and Keegan Keplinger, a senior threat researcher, designed a web crawler to monitor live Gootloader web pages and formerly infected sites. There are currently about 178,000 live Gootloader web pages and over 100,000 pages that appear to have been infected with Gootloader in the past. This article continues to discuss researchers applying the same mechanisms used by the cybercriminals behind the Gootloader malware to stop the gang.

Wired reports "A Security Team Is Turning This Malware Gang's Tricks Against It"