#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

Gootkit | Breaking Cybersecurity News | The Hacker News

Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms

Gootkit Malware Adopts New Tactics to Attack Healthcare and Finance Firms
Feb 09, 2023 Threat Intelligence / Malware
The Gootkit malware is prominently going after healthcare and finance organizations in the U.S., U.K., and Australia, according to new findings from Cybereason. The cybersecurity firm said it investigated a Gootkit incident in December 2022 that adopted a new method of deployment, with the actors abusing the foothold to deliver  Cobalt Strike  and  SystemBC  for post-exploitation. "The threat actor displayed fast-moving behaviors, quickly heading to control the network it infected, and getting elevated privileges in less than four hours," Cybereason  said  in an analysis published February 8, 2023. Gootkit, also called Gootloader, is exclusively attributed to a threat actor tracked by Mandiant as UNC2565. Starting its life in 2014 as a banking trojan, the malware has since morphed into a loader capable of delivering next-stage payloads. The shift in tactics was  first uncovered  by Sophos in March 2021. Gootloader takes the form of heavily-obfuscated JavaScript files th

Gootkit Malware Continues to Evolve with New Components and Obfuscations

Gootkit Malware Continues to Evolve with New Components and Obfuscations
Jan 29, 2023 Cyber Threat / Malware
The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is  monitoring  the activity cluster under the moniker  UNC2565 , noting that the usage of the malware is "exclusive to this group." Gootkit , also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning. The purported documents take the form of ZIP archives that harbor the JavaScript malware, which, when launched, paves the way for additional payloads such as  Cobalt Strike Beacon , FONELAUNCH, and SNOWCONE. FONELAUNCH is a .NET-based loader designed to load an encoded payload into memory, whereas SNOWCONE is a downloader that's tasked with retrieving next-stage payloads, typically  IcedID ,

Making Sense of Operational Technology Attacks: The Past, Present, and Future

Making Sense of Operational Technology Attacks: The Past, Present, and Future
Mar 21, 2024Operational Technology / SCADA Security
When you read reports about cyber-attacks affecting operational technology (OT), it's easy to get caught up in the hype and assume every single one is sophisticated. But are OT environments all over the world really besieged by a constant barrage of complex cyber-attacks? Answering that would require breaking down the different types of OT cyber-attacks and then looking back on all the historical attacks to see how those types compare.  The Types of OT Cyber-Attacks Over the past few decades, there has been a growing awareness of the need for improved cybersecurity practices in IT's lesser-known counterpart, OT. In fact, the lines of what constitutes a cyber-attack on OT have never been well defined, and if anything, they have further blurred over time. Therefore, we'd like to begin this post with a discussion around the ways in which cyber-attacks can either target or just simply impact OT, and why it might be important for us to make the distinction going forward. Figure 1 The Pu

Australian Healthcare Sector Targeted in Latest Gootkit Malware Attacks

Australian Healthcare Sector Targeted in Latest Gootkit Malware Attacks
Jan 11, 2023 Healthcare / Cyber Threat
A recent wave of Gootkit malware loader attacks has targeted the Australian healthcare sector by leveraging legitimate tools like VLC Media Player. Gootkit , also called Gootloader, is  known  to  employ  search engine optimization (SEO) poisoning tactics (aka spamdexing) for initial access. It typically works by compromising and abusing legitimate infrastructure and seeding those sites with common keywords. Like other malware of its kind, Gootkit is capable of stealing data from the browser, performing adversary-in-the-browser (AitB) attacks, keylogging, taking screenshots, and other malicious actions. Trend Micro's  new findings  reveal that the keywords "hospital," "health," "medical," and "enterprise agreement" have been paired with various city names in Australia, marking the malware's expansion beyond accounting and law firms. The starting point of the cyber assault is to direct users searching for the same keywords to an infe

Automated remediation solutions are crucial for security

cyber security
websiteWing SecurityShadow IT / SaaS Security
Especially when it comes to securing employees' SaaS usage, don't settle for a longer to-do list. Auto-remediation is key to achieving SaaS security.

Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers

Gootkit Loader Resurfaces with Updated Tactic to Compromise Targeted Computers
Aug 01, 2022
The operators of the Gootkit access-as-a-service ( AaaS ) malware have resurfaced with updated techniques to compromise unsuspecting victims. "In the past, Gootkit used freeware installers to mask malicious files; now it uses legal documents to trick users into downloading these files," Trend Micro researchers Buddy Tancio and Jed Valderama  said  in a write-up last week. The findings build on a previous report from eSentire, which  disclosed  in January of widespread attacks aimed at employees of accounting and law firms to deploy malware on infected systems. Gootkit is part of the proliferating underground ecosystem of access brokers, who are known to provide other malicious actors a pathway into corporate networks for a price, paving the way for actual damaging attacks such as ransomware. The loader utilizes malicious search engine results, a technique called  SEO poisoning , to lure unsuspecting users into visiting compromised websites hosting malware-laced ZIP pac
Cybersecurity Resources