Some groups of cybercriminals such as blackmail gangs, botnet operators and financial fraudsters receive special attention for their attacks and activities. But the larger ecosystem that underlies digital crime includes a wide range of malicious actors and organizations that essentially sell support services to these criminal clients. Today, researchers from the security company eSentire are revealing Their method to disrupt a longtime criminal enterprise hurts other businesses and organizations, then sell that digital access to other attackers.
Known as an initial access as a service operation, the Gootloader malware and the criminals behind it have been compromising and defrauding for years. The Gootloader group infects victim organizations and then sells access to distribute customers’ preferred malware into the compromised target network, whether it’s ransomware, theft mechanisms data or other tools to penetrate deeper targets. For example, from tracking Gootloader site data, eSentire researchers have gathered evidence that the notorious Russian-based ransomware gang REvil regularly worked with Gootloader between 2019 and 2022 to obtain initial access to the victim—a relationship that other researchers Have found that also.
Joe Stewart, principal security researcher at eSentire and senior threat researcher Keegan Keplinger designed a web crawler to track active Gootloader sites and previously infected sites. . Currently, the two have seen around 178,000 active Gootloader sites, and more than 100,000 previously appear to have been infected with Gootloader. in one resuscitation consultation Last year, the US Cybersecurity and Infrastructure Security Agency warned that Gootloader was one of the top malware strains of 2021 along with 10 others.
By tracking Gootloader activity and activities over time, Stewart and Keplinger have identified characteristics of how Gootloaders cover their tracks and attempt to avoid detection that defenders can exploit for protection. the network from being infected.
“Digating deeper into how the Gootloader and malware systems work, you can find all these little opportunities to influence their operations,” says Stewart. “When you get my attention, I’m obsessed with everything, and that’s what you don’t want as a malware author to be researchers completely diving into your operations. “
Out of sight out of mind
The Gootloader evolved from a banking trojan called Gootkit that has been infecting targets mainly in Europe since early 2010. Gootkits are often distributed via phishing emails or infected websites and are designed to be stolen. financial information such as credit card data and bank account credentials. However, since activity began in 2020, researchers tracked Gootloader separately as the malware delivery mechanism is increasingly used to distribute a wide range of criminal software, including both spyware and ransomware.
The Gootloader operator is known for delivering links to compromised documents, especially templates and other generic forms. When the targets clicked the link to download these documents, they unwittingly infected themselves with Gootloader malware. To get the targets to initiate downloads, the attackers use a tactic known as search engine optimization poisoning to compromise legitimate blogs, especially WordPress blogs, then silence them. perhaps add content to them that contains malicious document links.
Gootloader is designed to screen connections to infected blog posts for a number of characteristics. For example, if someone logs into a compromised WordPress blog, whether they have admin rights or not, they will be blocked from seeing blog posts containing malicious links. And Gootloader even permanently blocks IP addresses that are numerically close to the one logged into the relevant WordPress account. The idea is to prevent others in the same organization from seeing malicious posts.
