After a year-long vacation, the Gootkit information-stealing Trojan has returned to life alongside REvil Ransomware in a new campaign targeting Germany.
Last year, the Gootkit threat actors suffered a data leak after leaving a MongoDB database exposed on the Internet. After this breach, it was believed that the Gootkit actors had shut down their operation until they suddenly came alive again earlier this month.
Gootkit bursts back to life with ransomware partnership
Last week, a security researcher known as The Analyst told BleepingComputer that the Gootkit malware had emerged again in attacks targeting Germany.
In this new malicious campaign, threat actors are hacking WordPress sites and utilizing SEO poisoning to display fake forum posts to visitors. These posts pretend to be a question and answers with a link to fake forms or downloads.
When the user clicks on the link, they will download a ZIP file containing an obfuscated JS file that will install either the Gootkit malware or the REvil ransomware.
This same distribution method was previously used by REvil in September 2019, around the same time that Gootkit had disappeared.
Gootkit and REvil installed in fileless attacks
In Malwarebytes’ analysis, this payload is usually Gootkit, but it was also REvil ransomware in some cases.
These payloads would be stored as Base64 encoded or hexadecimal strings in either a text file or split up into numerous Windows Registry values, as shown below.
The loader will eventually read the Registry or text file’s payloads, decode it, and filelessly launch the process directly into memory.
Using obfuscated payloads and to break them up into pieces stored in the Registry, makes it harder for security software to detect the malicious payloads.
“The threat actors behind this campaign are using a very clever loader that performs a number of steps to evade detection. Given that the payload is stored within the registry under a randomly-named key, many security products will not be able to detect and remove it,” Malwarebytes explains.
An interesting discovery found by The Analyst when testing this malicious campaign was that the Revil infection dropped ransom notes used in previous attacks.
This error was likely caused by the distribution campaign using an older version of REvil ransomware and forgetting to refresh it with a newer version.