AhnLab cybersecurity researchers: The malware is downloaded and executed from a WSF file within a compressed file, delivered via URL in phishing emails.
Gootloader evolves targeting highly sensitive assets worldwide. It exploits around 700 high-traffic compromised websites as a delivery network, and tailored filenames to lure targets
Gootloader cybercrime actors have expanded their campaign to target highly sensitive assets worldwide including financial, military, automotive, pharmaceutical and energy sectors. It has been discovered by Sentinel One cybersecurity experts. An analysis of over 900 unique droppers reveals that the campaign targets diverse enterprise and government verticals including military, financial, chemistry, banks, automotive, investment companies and energy stakeholders, primarily in the US, Canada, Germany, and South Korea. Around 700 high-traffic compromised websites were used as a delivery network, and tailored filenames are used to lure targets in a typical form of social engineering. The attacks have a low static detection rate alongside robust sandbox evasion techniques and ‘fileless’ stages. Moreover, Gootloader acts as an ‘Initial Access As a Service’ provider, after which a variety of tools may be deployed. Furthermore, it apparently ‘geofences’ its intended targets by only deliverering malware if the victim comes from specific countries.