The actors responsible for the Gootkit malware have made significant modifications to their toolset, incorporating new components and obfuscations into their infection methods. The Google-owned cybersecurity firm, Mandiant, is keeping a close eye on the cluster of activity known as UNC2565 and has determined that the usage of the Gootkit malware is exclusive to this group.
Gootkit, also referred to as Gootloader, is distributed through compromised websites that victims are led to through a search engine optimization (SEO) poisoning technique while searching for business-related documents such as agreements and contracts. The malware is concealed in ZIP archives that appear as legitimate documents and, when launched, initiate the deployment of additional payloads such as Cobalt Strike Beacon, FONELAUNCH, and SNOWCONE.
FONELAUNCH, a . NET-based loader, is designed to load encoded payloads into memory, and SNOWCONE, a downloader, retrieves next-stage payloads, typically IcedID, via HTTP. Although the overarching goals of Gootkit have not changed, its attack sequence has undergone significant updates, including the trojanization of the JavaScript file within the ZIP archive and the execution of obfuscated JavaScript files.
The latest variant is referred to as BOOTLOADER.POWERSHELL was detected by Mandiant in November 2022 and has also been documented by Trend Micro in their recent report detailing Gootkit attacks targeting the Australian healthcare sector.
To evade detection, the malware authors have employed three distinct methods of obscuring Gootkit, including hiding the code within altered versions of legitimate JavaScript libraries such as jQuery, Chroma.js, and Underscore.js.
UNC2565 has also been utilizing three variations of FONELAUNCH, and FONELAUNCH.FAX, FONELAUNCH.PHONE, and FONELAUNCH.DIALTONE, since May 2021 to execute DLLs, .NET binaries, and PE files, demonstrating their continued efforts to maintain and update their malware arsenal.
According to Mandiant researchers Govand Sinjari and Andy Morales, “these changes demonstrate the active development and growth in capabilities by UNC2565.”