In 2019, the hackers who developed Gootkit suffered a data leak after leaving a database MongoDB exposed to the Internet. After this infringement, it was considered that the hackers stopped their activity completely. However, now they are reappearing.
A security researcher known as "The Analyst" told BleepingComputer last week that Gootkit malware was carrying out attacks against Germany. In this new malicious campaign, hackers are violating WordPress websites and use poisoning through SEO to display fake forum posts to visitors. These posts appear as Q&A that have a link, which refers to fake forms or downloads. When the user clicks on the link, a ZIP file containing an obscure JS file is downloaded, which installs either Gootkit malware or Revil ransomware. The same method was used by the REvil gang in September 2019, around the time Gootkit disappeared.
These payloads are stored as Base64 encoded or hexadecimal strings in either a text file or split into multiple Registry values. Windows. The loader finally reads the Registry or the payloads of the text file, decodes them and starts the process directly in memory. Using obscure payloads makes it more difficult for security software to detect malicious payloads.
It is noteworthy that the security researcher "The Analyst" during the investigation of this malicious campaign found that the infection with Revil left the victims ransom notes that have been used in previous attacks.