Cybersecurity researchers from the IB-company Mandiant
Gootkit (Gootloader) is distributed through compromised websites to which the victims fall when searching for business documents (agreements, contracts, etc.) using the method of Seo Poisoning poisoning).
Documents PREASE themselves as a ZIP archives containing the malicious JavaScript code, which at startup opens the path for additional useful loads – Cobalt Strike Beacon, Fonelaunch and Snowcone.
- Fonelaunch is a .NET -based bootloader, designed to load encoded beneficial loads in memory;
- Snowcone is a bootloader that extracts a useful load of the next stage (usually ICEDID) via http.
NECHIC CHALOTER.POWERSHELL
While the general gootkit goals have remained unchanged, the sequence of attacks has undergone significant changes – now the JavaScript file in the ZIP archive is trojanized and contains an outstanded JavaScript code, which performs malicious software.
The new option, discovered in November 2022, is monitored as Gootloader.powershell. It is worth noting that the updated chain of infection was also is documented earlier than tdend micro This month, during Gootkit attacks on Australia Healthcare.
Moreover, the authors of malicious software used the method of avoiding detection using the hiding of the code in the changed versions of the legitimate libraries of JavaScript – jquery, chroma.js and underscore.js.
3 different options for Gootkit-Fonelaunch (Fonelaunch.fax), Fonelaunch.phone and Fonelaunch.DialTone-UNC2565 have been used since May 2021 to perform DLL-Bibliotek, Double NET files and peeles, which indicates that it indicates that it indicates that it indicates that it indicates that it indicates that it indicates that it indicates The arsenal of harmful programs is constantly supported and updated. These changes indicate the active development and growth of the capabilities of UNC2565.