Gootloader malware back for the attack, serves up ransomware

Gootloader malware back for the attack, serves up ransomware

Briefly

"Gootloader JavaScript malware, commonly used to deliver ransomware, is back in action after a period of reduced activity. Since October 27, security shop Huntress says it has spotted three Gootloader infections, and two of these led to hands-on-keyboard intrusions with domain controller compromise occurring in as little as 17 hours after the attackers gained initial access."

""The infection operates through a well-established criminal partnership: Storm-0494 handles Gootloader operations and initial access, then hands off compromised environments to Vanilla Tempest for post-exploitation and ransomware deployment," Pham said in a Wednesday blog. Gootloader, which functions as both a malware dropper and an infostealer, has been around since at least 2014 with some disruptions to its operations and briefly resurged in March. Like most movie monsters and malware, however, it returned from the grave, this time with some changes - like custom WOFF2 fonts with glyph substitution to obfuscate filenames - and some of the same old tricks such as SEO poisoning."

"In one of the infections that Huntress discovered, the user was searching "missouri cover utility easement roadway" via Bing, and the search engine served up a compromised site in the first page of results. The loader abuses WordPress's comment submission endpoint to hide encrypted payloads, and when the user clicks "Download," they unwittingly install a ZIP archive with a malicious JavaScript file for additional payloads such as ransomware."