The group behind the Windows Gootloader malware, known as UNC2565, has effectively modified the code to make it more intrusive and difficult to detect.
Researchers at Mandiant noted UNC2565 started making significant adjustments to its operational tactics, methods, and procedures (TTPs) in 2022.
The distribution of additional follow-on payloads, the usage of various FONELAUNCH launcher variants, and changes to the GOOTLOADER downloader and infection chain, including the addition of GOOTLOADER. POWERSHELL, are among these enhancements.
Fileless Technique to Deploy Ransomware
Infections with GOOTLOADER start when a user searches online for business-related documents like templates, contracts, or agreements.
In this case, if the GOOTLOADER file is successfully executed, further payloads, such as FONELAUNCH and Cobalt Strike BEACON or SNOWCONE, will be downloaded and stored in the registry. In the subsequent stages, PowerShell is used to execute these payloads.
More payloads like Cobalt Strike, FONELAUNCH, and SNOWCONE are uploaded after the file is opened and the malware is activated, along with another group of downloaders containing payloads like the well-known IcedID banking trojan.
Since May 2021, Gootloader has utilized three different FONELAUNCH variants: FONELAUNCH.FAX, FONELAUNCH.PHONE, and FONELAUNCH.DIALTONE.
“The evolution of FONELAUNCH variants over time has allowed UNC2565 to distribute and execute a wider variety of payloads, including DLLs, .NET binaries, and PE files”, according to Mandiant researchers.
Around October 2021, Managed Defense observed GOOTLOADER embedded within trojanized jQuery libraries instead of being on its own, likely in an attempt to evade detection and hinder analysis.
Researchers discovered new samples in August 2022 with slight adjustments to the obfuscation code. The obfuscated string variables in these new samples were spread across the file rather than being contained on a single line.
A new obfuscation variation with a modified infection that is more complicated than the prior versions was noticed by researchers in November 2022.
The successful execution of GOOTLOADER will result in the download of two additional payloads, FONELAUNCH and an in-memory dropper that typically delivers BEACON, to the registry paths.
These malware samples that are placed in the Windows registry as registry residents are designed to hide and avoid detection. These payloads are then launched in memory by GOOTLOADER.
Hence, these threats to particular industries, geographic regions, and job sectors are expanding. It is discovered that the current operation has also clearly sharpened its targeting capability by including the hospital, health, and medical, as well as names of Australian cities, in addition to the continued targeting of the legal sector with the keyword “agreement” in the SEO poisoning effort.
Network Security Checklist – Download Free E-Book