Mandiant Managed Defense has reliably resolved GOOTLOADER infections since January 2021. When spreading GOOTLOADER, malicious actors cast a wide net, affecting a variety of industrial verticals and geographical areas.
Gootkit Malware
The Gootkit Trojan is Javascript-based malware that carries out a number of malicious tasks, such as authorizing threat actors remote access, recording video, capturing keystrokes, stealing emails, stealing passwords, and having the ability to inject malicious files to steal online banking login details.
Gootkit previously spread malware in the disguise of freeware installers, but now it deceives users into downloading these files by presenting them as legal documents. A user enters a search query into a search engine to begin the attack chain.
Mandiant Managed Defense believes that UNC2565, a group it tracks, is the sole group that the GOOTLOADER virus and infrastructure belong to at this time. Due to these breaches' rapid detection and mitigation, Mandiant's observation of post-compromise GOOTLOADER activities has mostly been restricted to internal surveillance.
If the GOOTLOADER file is successfully executed, other payloads like FONELAUNCH and Cobalt Strike BEACON or SNOWCONE that are saved in the registry will be downloaded. Future phases include PowerShell being used to execute these payloads.
The. NET-based loader FONELAUNCH is intended to load an encoded payload into memory, while the downloader SNOWCONE is responsible for obtaining next-stage payloads, notably IcedID, through HTTP.
The primary aims of Gootkit have remained the same, however, the attack process has undergone substantial modifications. Currently, the JavaScript file contained in the ZIP archive is trojanized and contains a different JavaScript file that is obfuscated and then begins to execute the malware.
Furthermore, to avoid detection, the malware's creators allegedly used three distinct strategies to cloak Gootkit, including hiding the code inside modified versions of trustworthy JavaScript libraries like jQuery, Chroma.js, and Underscore.js. These modifications show how actively developing and expanding UNC2565's capabilities remain.