The actors responsible for the Gootkit malware have made significant modifications to their toolset, incorporating new components and obfuscations into their infection methods. The Google-owned cybersecurity firm, Mandiant, is keeping a close eye on the cluster of activity known as UNC2565 and has determined that the usage of the Gootkit malware is exclusive to this group.
Gootkit, also referred to as Gootloader, is distributed through compromised websites that victims are led to through a search engine optimization (SEO) poisoning technique while searching for business-related documents such as agreements and contracts. The malware is concealed in ZIP archives that appear as legitimate documents and, when launched, initiate the deployment of additional payloads such as Cobalt Strike Beacon, FONELAUNCH, and SNOWCONE.
The latest variant is referred to as BOOTLOADER.POWERSHELL was detected by Mandiant in November 2022 and has also been documented by Trend Micro in their recent report detailing Gootkit attacks targeting the Australian healthcare sector.
UNC2565 has also been utilizing three variations of FONELAUNCH, and FONELAUNCH.FAX, FONELAUNCH.PHONE, and FONELAUNCH.DIALTONE, since May 2021 to execute DLLs, .NET binaries, and PE files, demonstrating their continued efforts to maintain and update their malware arsenal.
According to Mandiant researchers Govand Sinjari and Andy Morales, “these changes demonstrate the active development and growth in capabilities by UNC2565.”