A framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads known to be GootKit Malware revolving around banking credential theft

Dubbed “Gootloader,” the expanded malware delivery system comes amid a surge in the number of infections targeting users .GootKit is a Javascript-based malware platform capable of carrying out an array of covert activities, including web injection, capturing keystrokes, taking screenshots, recording videos, as well as email and password theft. Evolved over years combining with REvil and Sodinokobi

The infection chain resorts to sophisticated techniques that involve hosting malicious ZIP archive files on websites belonging to legitimate businesses that have been gamed to appear among the top results of a search query using manipulated search engine optimization (SEO) methods, where results point to the website that has no logical connection to the query searched so attackers are in a possession to hack website

To ensure targets from the right geographies are captured, the adversaries rewrite website code ‘on the go’ so that website visitors who fall outside the desired countries are shown benign web content, while those from the right location are shown a page featuring a fake discussion forum on the topic they’ve queried,

Clicking the search result takes the user to a fake message board-like page that matches not only the search terms used in the initial query but also includes a link to the ZIP file, which contains a heavily obfuscated Javascript file that initiates the next stage of compromise to inject the fileless malware fetched from a remote server into memory.

This takes the form of a multi-stage evasive approach that begins with a .NET loader, which comprises a Delphi-based loader malware, which, in turn, contains the final payload in encrypted form.

Delivering the REvil ransomware and the Gootkit trojan, multiple campaigns have been spotted currently leveraging the Gootloader framework to deliver the Kronos financial malware in Germany stealthily, and the Cobalt Strike post-exploitation tool in the U.S.