The operators behind Gootloader, a crew dubbed UNC2565, have upgraded the code in cunning ways to make it more intrusive and harder to find.
Researchers with Google-owned security shop Mandiant started seeing significant changes to the Gootloader malware package – also known as Gootkit – in November 2022, including using multiple variations of FONELAUNCH, a .NET-based loader, as well as some newly developed payloads and obfuscation techniques. There are also changes in its infection chain, including a new variant called Gootloader.PowerShell.
“These changes are illustrative of UNC2565’s active development and growth in capabilities,” the researchers wrote in a report, adding that the group is the only one known to use the malware.
A Gootloader infection starts via a search engine optimization (SEO) poisoning attack, with a victim who is searching online for business-related documents, such as templates, agreements, or contracts, being lured into going to a website compromised by the criminal gang.
This one isn’t stopping
Gootloader in the months since May 2021 has used three variants of FONELAUNCH – FONELAUNCH.FAX, FONELAUNCH.PHONE, and FONELAUNCH.DIALTONE.
“The evolution of FONELAUNCH variants over time has allowed UNC2565 to distribute and execute a wider variety of payloads, including DLLs, .NET binaries, and PE files,” the Mandiant researchers wrote.
A second one appeared in October 2021 inside trojanized jQuery libraries rather than hanging out on its own, a likely attempt to evade detection and slow any analysis of the malware, the researchers wrote. It hides itself among more than 10,000 lines of code, according to Mandiant.
Mandiant’s report follows up one released earlier this month by Trend Micro, which said that Gootloader was being used in a series of attacks on organizations in Australia’s healthcare industry. Those analysts found that the threat group was continuing with the SEO poisoning technique for initial access but then abusing VLC Media Player and other legitimate tools to continue the infection.
“The threats targeting specific job sectors, industries, and geographic areas are becoming more aggressive,” the Trend team wrote. “In addition to the continued targeting of the legal sector with the [keyword] ‘agreement’ [in the SEO poisoning effort], we also found that the current operation has also clearly sharpened its targeting capability by including the words ‘hospital’, ‘health’, ‘medical’, and names of Australian cities.” ®