Certain cybercriminal groups such as ransomware gangs, botnet operators, and financial fraud scammers receive targeted attention for their attacks and operations. But the larger ecosystem underlying digital crime includes a variety of malicious actors and organizations that essentially sell support services to these criminal clients. Today, researchers at the security company eSentire are developer his methods to disrupt the operations of a longstanding criminal enterprise that compromises businesses and other organizations and then sells that digital access to other attackers.
Known as an initial access-as-a-service operation, the Gootloader malware and the criminals behind it have been compromising and scamming for years. The Gootloader gang infects victim organizations and then sells access to deliver a customer’s preferred malware to the compromised target network, be it ransomware, data exfiltration mechanisms, or other tools to further compromise the target. From tracking data from Gootloader’s page, for example, eSentire researchers collected evidence that the notorious Russia-based ransomware gang, REvil, regularly worked with Gootloader between 2019 and 2022 to gain initial access to the victims, a relationship that other researchers have noticed also.
Joe Stewart, Principal Security Researcher at eSentire, and Keegan Keplinger, Principal Threat Researcher, designed a web crawler to keep track of active Gootloader web pages and previously infected sites. Currently, the two see around 178,000 active Gootloader web pages and more than 100,000 pages that historically appear to have been infected with Gootloader. in a retrospective counseling Last year, the US Cybersecurity and Infrastructure Security Agency warned that Gootloader was one of the top malware strains of 2021 along with 10 others.
By tracking Gootloader activity and operations over time, Stewart and Keplinger identified characteristics of how Gootloader covers its tracks and attempts to evade detection that defenders can exploit to protect networks from infection.
“By digging deeper into how the Gootloader system and malware work, you can find all these little opportunities to impact your operations,” says Stewart. “When it catches my eye, I get obsessed with things, and that’s what you don’t want as a malware author, is for researchers to get fully immersed in your operations.”
Out of sight, out of mind
Gootloader evolved from a banking Trojan known as Gootkit that has been infecting targets primarily in Europe since 2010. Gootkit was typically distributed via phishing emails or corrupted websites and was designed to steal financial information such as credit card details. and bank account logins. However, as a result of activity beginning in 2020, researchers have been tracking Gootloader separately because the malware delivery mechanism has been increasingly used to distribute a variety of criminal software, including spyware and ransomware.
The Gootloader operator is known to distribute links to compromised documents, particularly templates and other generic forms. When targets click on links to download these documents, they inadvertently become infected with Gootloader malware. To get targets to initiate the download, attackers use a tactic known as search engine optimization poisoning to compromise legitimate blogs, particularly WordPress blogs, and then discreetly add content that includes links to malicious documents.
Gootloader is designed to filter connections to contaminated blog posts for a number of features. For example, if someone is logged into a compromised WordPress blog, whether they have admin privileges or not, they won’t be able to see the blog posts that contain the malicious links. And Gootloader even goes so far as to permanently block IP addresses that are numerically close to the address registered to a relevant WordPress account. The idea is to prevent other people in the same organization from seeing the malicious posts.
—————————————————-
Source link