A framework notorious for delivering a banking Trojan has received a facelift to deploy a wider range of malware, including ransomware payloads known to be GootKit Malware revolving around banking credential theft
The infection chain resorts to sophisticated techniques that involve hosting malicious ZIP archive files on websites belonging to legitimate businesses that have been gamed to appear among the top results of a search query using manipulated search engine optimization (SEO) methods, where results point to the website that has no logical connection to the query searched so attackers are in a possession to hack website
To ensure targets from the right geographies are captured, the adversaries rewrite website code ‘on the go’ so that website visitors who fall outside the desired countries are shown benign web content, while those from the right location are shown a page featuring a fake discussion forum on the topic they’ve queried,
This takes the form of a multi-stage evasive approach that begins with a .NET loader, which comprises a Delphi-based loader malware, which, in turn, contains the final payload in encrypted form.
Delivering the REvil ransomware and the Gootkit trojan, multiple campaigns have been spotted currently leveraging the Gootloader framework to deliver the Kronos financial malware in Germany stealthily, and the Cobalt Strike post-exploitation tool in the U.S.