"Gootloader" campaign active since Jan. 2021 is targeting enterprise verticals worldwide.
900 unique droppers identified with very low VirusTotal detection
Security researchers at SentinelOne say they have identified a threat campaign involving the Gootloader malware that is actively targeting "diverse enterprise and government verticals including military, financial, chemistry, banks, automotive, investment companies and energy stakeholders" via compromised websites.
The endpoint detection firm says it has identified over 900 unique Gootloader "droppers" -- or tools to deliver malware -- with very low detection rates on VirusTotal, with the initial payload being delivered via websites hijacked to host a JavaScript redirector.
Its analysis suggests the Gootloader campaign is being used to provide "Access as a Service’ for ransomware operators.
(IOCs, Yara Rules, SHA1 hashes et al are at bottom here.)
The campaign is primarily targeting companies and government organisations in the US, Canada, Germany, and South Korea, with some 700 high-traffic websites used as a delivery network.
"The campaign uses tailored filenames to lure targets in a typical form of social engineering", SentinelOne's Antonio Pirozzi noted, adding "the loader is composed of three highly obfuscated layers that contain encoded URLs. These form part of a network of compromised websites used to deliver the final payload." (This is typically one of BlueCrab, Cobalt Strike Beacons, Gootkit, Kronos, or Revil, he added.)
"We see Gootloader as a cluster of activity representing an ‘Initial Access as a Service’ business model, allowing it to distribute malware for different cybercrime groups for affiliate fees. All of the above payloads are known ‘MaaS’ (Malware-as-a-Service) families that thrive on affiliate distribution models. Seeing that in some cases the payload distributed is Cobalt Strike, we cannot exclude that the Gootloader operators are conducting their own reconnaissance or credential harvesting for further gain."
You can see SentinelOne's technical write-up here.