Hackers Using Compromised Websites to Deliver Gootkit, REvilResearchers: Campaign Targets Victims in Germany
A hacking campaign in Germany is using compromised websites and social engineering tactics to trick users into download malicious payloads, according to the security firm Malwarebytes.
Once the payloads are downloaded, the victims’ devices are infected with Gootkit, a banking Trojan that that is capable of recording video to steal financial information from victims. And in a few cases, devices have been infected by REvil ransomware, Malwarebytes notes.
It's unclear how many victims have been infected since the campaign began in November. But Malwarebytes notes it has detected at least 600 devices across Germany that appear to have been targeted.
"We believe this new campaign started in early November, although it became more noticeable by mid-November," says Jerome Segura, director of threat intelligence at Malwarebytes. "So far, every single hit we have detected has been in Germany. This does raise some interesting questions perhaps about an affiliate with deep knowledge of the German market."
Kevin Beaumont, senior threat intelligence analyst at Microsoft Threat Intelligence, said on Twitter that the hacking group behind this campaign seems to be using search engine optimization techniques.
Please note it appears GootKit is targeting German speaking organisations, using search engine optimisation for German phrases -> compromise sites.— Kevin Beaumont (@GossiTheDog) November 25, 2020
GootKit arrives a .zip file on user PCs from said websites, with a .js file instead. This establishes a fileless trojan. https://t.co/6ISjBuXsTm
The hackers start by using compromised websites that are spread through search engine optimization, the Malwarebytes report notes. They then add a fake question and answer session to the compromised websites to trick users into download a file.
"This template mimics a forum thread where a user asks in German for help about a specific topic and receives an answer which appears to be exactly what they were looking for," the report notes. "It’s worth noting that the hacked sites hosting this template are not German (only the template is); they simply happen to be vulnerable and are used as part of the threat actor’s infrastructure."
Gootkit, which has been active since 2014, is known to target victims intermittently before disappearing again. Before the November campaign that Malwarebytes analyzed, Gootkit was last known to be active in July 2019. Although it first emerged as a banking Trojan, it has since evolved to become sophisticated info-stealing malware, researchers note.
In a few of the cases that the researchers found, the Gootkit loader also attempted to deliver REvil ransomware to the victim's devices, the report notes.
"One thing we noticed in the REvil sample we collected is that the ransom note still points to decryptor.top instead of decryptor.cc, indicating that this could be an older sample," the report notes.
But no ransomware cases associated with the campaign have been detected so far, Segura says.
REvil, which is also known as Sodinokibi, has been active since 2019. The operators are suspected of several high-profile attacks over the last year, including those targeting Travelex and Indian IT firm Cognizant.