Gootkit Loader resurfaces with updated techniques to compromise targeted victims
On Sunday, Gootkit access-as-a-service (AaaS) malware operators resurfaced with updated tactics to compromise unsuspecting victims.
Trend Micro researchers Buddy Tancio and Jed Valderama said that in the past, Gootkit used freeware installers to mask malicious files; now it’s using legal documents to trick users into downloading these files.
The findings developed on a previous report from eSentire, which revealed in January of widespread attacks pointed at employees of accounting and law firms deploying malware on infected systems.
Gootkit is part of the proliferating underground ecosystem of access brokers, who are known for providing other malicious actors a route into corporate networks for a price, making the way for actual damaging attacks such as ransomware.
The loader utilizes malicious search engine results, a technique called SEO poisoning, to attract unsuspecting users into visiting compromised websites hosting malware-laced ZIP package files purportedly related to disclosure agreements for real estate transactions.
The researchers said, “The combination of SEO poisoning and compromised legitimate websites can mask indicators of malicious activity that would usually keep users on their guard.”