A recent report published by researchers states that Gootkit information-stealing trojan has returned back to work after a long hiatus and has teamed up with REvil (Sodinokibi) ransomware in a new campaign.
According to the report, researchers identified the rise of the GootKit malware that targeted Germany for which Germany’s DFN-CERT had issued a warning.
- The newly formed partnership between the ransomware and the Trojan is relying on compromised websites such as WordPress to socially engineer users by using a decoy forum template.
- SEO poisoning techniques are being utilized by the campaign, instructing potential victims to download a malicious file. To perform fileless attacks of either Gootkit or REvil. , these malicious files are embedded with PE payloads.
- A number of steps are carried out by a sophisticated loader to avoid detection.
- In this campaign, REvil drops ransom notes used in previous attacks that were likely created during the use of an older version of the ransomware.
Other Alliances of Terror
It is observed that several other banking malware are turning into loaders for delivering ransomware and performing sophisticated attacks to target high-profile victims.
- In November, a series of ransomware attacks were carried out on healthcare organizations using TrickBot as a dropper to deploy Ryuk and Conti ransomware as payloads.
- Furthermore, it is reported that TrickBot and Emotet had topped the Global Threat Index for October 2020, and were being used for distributing ransomware in the healthcare sector.
Authors of several other ransomware have entered into an alliance with DDoS hackers and other malware groups to extort victims. Such malicious collaborations have propelled cybercriminals to launch various campaigns on compromised devices.
To read more, please check eScan Blog
