New infection chain components and obfuscations have been added to the updated Gootkit remote access trojan malware, also known as Gootloader, by malware operator UNC2565, The Hacker News reports.
Attackers have been leveraging search engine optimization poisoning to lure would-be victims into visiting compromised websites that enable Gootkit distribution, with the newest version, tracked as GOOTLOADER.POWERSHELL, featuring an overhauled infection chain, according to a report from Mandiant.
Such an infection chain was earlier identified by Trend Micro in attacks against the Australian healthcare industry. Moreover, three different techniques have been leveraged to facilitate malware obfuscation, including code concealment within modified versions of the legitimate jQuery, Underscore.js, and Chroma.js JavaScript libraries.
UNC2565 has also implemented different versions of the FONELAUNCH loader for DLL, .NET binary, and PE file execution since May 2021.
"These changes are illustrative of UNC2565's active development and growth in capabilities," said Mandiant researchers Andy Morales and Govand Sinjari.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news