HomesecurityGootkit malware: Returns and targets Germany with REvil!

Gootkit malware: Returns and targets Germany with REvil!

Gootkit, one trojan who steals information from systems of its victims, makes its reappearance in the landscape of threats, after a year of inactivity. This time he is not alone, but joins forces with REvil ransomware, in a new malicious campaign targeting Germany. The Gootkit trojan is one javascript-based malware that performs various malicious activities, such as remote access, key logging, video recording, theft e-mail, password theft and injection of malicious scripts, aimed at stealing online banking credentials.

In 2019, the hackers who developed Gootkit suffered a data leak after leaving a database MongoDB exposed to the Internet. After this infringement, it was considered that the hackers stopped their activity completely. However, now they are reappearing.

Gootkit malware: Returns and targets Germany with REvil!

A security researcher known as "The Analyst" told BleepingComputer last week that Gootkit malware was carrying out attacks against Germany. In this new malicious campaign, hackers are violating WordPress websites and use poisoning through SEO to display fake forum posts to visitors. These posts appear as Q&A that have a link, which refers to fake forms or downloads. When the user clicks on the link, a ZIP file containing an obscure JS file is downloaded, which installs either Gootkit malware or Revil ransomware. The same method was used by the REvil gang in September 2019, around the time Gootkit disappeared.

In a new report released yesterday, his researchers Malwarebytes explain that malicious JavaScript payloads attack either Gootkit or REvil. When started, the JavaScript script connects to C&C server and downloads another script containing the malicious payload malware.

These payloads are stored as Base64 encoded or hexadecimal strings in either a text file or split into multiple Registry values. Windows. The loader finally reads the Registry or the payloads of the text file, decodes them and starts the process directly in memory. Using obscure payloads makes it more difficult for security software to detect malicious payloads.

It is noteworthy that the security researcher "The Analyst" during the investigation of this malicious campaign found that the infection with Revil left the victims ransom notes that have been used in previous attacks.


Please enter your comment!
Please enter your name here

Every accomplishment starts with the decision to try.