Strategy, Threat intelligence

Gootkit RAT using SEO to distribute malware and steal banking credentials

March 1, 2021
Sophos researchers have published a report revealing that the Gootkit malware family, a trojan mostly focused on theft of banking credentials, has been upgraded to “Gootloader” featuring increased malware delivery capabilities, according to The Hacker News. Researchers Gabor Szappanos and Andrew Brandt said Gootloader harnesses sophisticated infiltration techniques, such as manipulating search engine optimization methods to make legitimate businesses appear in the top results of search queries, and then hosting malicious ZIP archive files on their websites. Users who click on the search result are taken to a fake page with a link to a ZIP file, which injects the malware into the victim’s system and triggers the next stages of the attack, including a .NET loader and the final, encrypted payload. “The developers behind Gootkit appear to have shifted resources and energy from delivering just their own financial malware to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware,” Szappanos said.
Jill Aitoro

SC Media Editor in Chief Jill Aitoro has 20 years of experience editing and reporting on technology, business and policy. She also serves as editorial director at SC Media’s parent company, CyberRisk Alliance. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. She previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News.

prestitial ad