Threat Management

Gootkit RAT using SEO to distribute malware and steal banking credentials

Sophos researchers have published a report revealing that the Gootkit malware family, a trojan mostly focused on theft of banking credentials, has been upgraded to “Gootloader” featuring increased malware delivery capabilities, according to The Hacker News. Researchers Gabor Szappanos and Andrew Brandt said Gootloader harnesses sophisticated infiltration techniques, such as manipulating search engine optimization methods to make legitimate businesses appear in the top results of search queries, and then hosting malicious ZIP archive files on their websites. Users who click on the search result are taken to a fake page with a link to a ZIP file, which injects the malware into the victim’s system and triggers the next stages of the attack, including a .NET loader and the final, encrypted payload. “The developers behind Gootkit appear to have shifted resources and energy from delivering just their own financial malware to creating a stealthy, complex delivery platform for all kinds of payloads, including REvil ransomware,” Szappanos said.
Jill Aitoro

Jill Aitoro is senior vice president of content strategy for CyberRisk Alliance. She has more than 20 years of experience editing and reporting on technology, business and policy. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. She previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.