"Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers"

The Gootkit Access-as-a-Service (AaaS) malware's operators have reemerged with updated techniques to compromise unsuspecting victims. Gootkit previously used freeware installers to disguise malicious files. According to Trend Micro researchers, it now uses legal documents to trick users into downloading these files. The findings add to a previous report from eSentire, which revealed widespread attacks aimed at accounting and law firm employees in order to deploy malware on infected systems. Gootkit is part of a growing underground ecosystem of access brokers known to provide other malicious actors with a path into corporate networks in exchange for a fee, paving the way for actual damaging attacks like ransomware. The loader employs malicious search engine results, a technique known as Search Engine Optimization (SEO) poisoning, to lure users into visiting compromised websites hosting malware-laced ZIP package files purportedly related to real estate disclosure agreements. The researchers pointed out that the combination of SEO poisoning and compromised legitimate websites can mask indicators of malicious activity that would normally put users on guard. The ZIP file contains a JavaScript file that loads a Cobalt Strike binary, a tool used for post-exploitation activities that run filelessly in memory. This article continues to discuss the updated Gootkit loader.

THN reports "Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers"