Threat Management

Gootkit RAT using SEO to distribute malware and steal banking credentials

Sophos researchers have published a report revealing that the Gootkit malware family, a trojan mostly focused on theft of banking credentials, has been upgraded to “Gootloader” featuring increased malware delivery capabilities, according to The Hacker News. Researchers Gabor Szappanos and Andrew Brandt said Gootloader harnesses sophisticated infiltration techniques, such as manipulating search engine optimization methods to make legitimate businesses appear in the top results of search queries, and then hosting malicious ZIP archive files on their websites. Users who click on the search result are taken to a fake page with a link to a ZIP file, which injects the malware into the victim’s system and triggers the next stages of the attack, including a .NET loader and the final, encrypted payload. “The developers behind Gootkit appear to have shifted resources and energy from delivering just their own financial malware to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware,” Szappanos said.
Jill Aitoro

Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.