Sophos researchers have named the platform, “Gootloader.” Gootloader is actively delivering malicious payloads through tightly targeted operations in the US, Germany and South Korea. From this point on, the attack proceeds covertly, using a wide range of complicated evasion techniques, multiple layers of obfuscation, and fileless malware that is injected into memory or the registry where conventional security scans cannot reach it. “The developers behind Gootkit appear to have shifted resources and energy from delivering just their own financial malware to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware,” said Gabor Szappanos, threat research director at Sophos. Further, instead of actively attacking endpoint tools as some malware distributors do, the creators of Gootloader have opted for convoluted evasive techniques that conceal the end result. These include Google search results that point to websites for businesses that have no logical connection to the advice they appear to offer; advice that precisely matches the search terms used in the initial question; and a ‘message board’-style page that looks identical to the examples shown in the Sophos research, featuring text and a download link that also precisely matches the search terms used in the initial Google search.” The best overall protection against Gootloader attacks is a comprehensive security solution that can scan for suspicious activity in memory and protect against fileless malware.
- Virus Protection Software
- Virtualization & Network Resources
- General Healthcare software
- Security Software
- Data Management