Fraud Management & Cybercrime , Fraud Risk Management , Next-Generation Technologies & Secure Development

Hackers Using Compromised Websites to Deliver Gootkit, REvil

Researchers: Campaign Targets Victims in Germany
Hackers Using Compromised Websites to Deliver Gootkit, REvil
A hacking campaign that attempts to install either the Gootkit Trojan or REvil ransomware has targeted victims throughout Germany. (Source: Malwarebytes)

A hacking campaign in Germany is using compromised websites and social engineering tactics to trick users into download malicious payloads, according to the security firm Malwarebytes.

See Also: 57 Tips to Secure Your Organization

Once the payloads are downloaded, the victims’ devices are infected with Gootkit, a banking Trojan that that is capable of recording video to steal financial information from victims. And in a few cases, devices have been infected by REvil ransomware, Malwarebytes notes.

It's unclear how many victims have been infected since the campaign began in November. But Malwarebytes notes it has detected at least 600 devices across Germany that appear to have been targeted.

"We believe this new campaign started in early November, although it became more noticeable by mid-November," says Jerome Segura, director of threat intelligence at Malwarebytes. "So far, every single hit we have detected has been in Germany. This does raise some interesting questions perhaps about an affiliate with deep knowledge of the German market."

Kevin Beaumont, senior threat intelligence analyst at Microsoft Threat Intelligence, said on Twitter that the hacking group behind this campaign seems to be using search engine optimization techniques.

Attack Tactics

The hackers start by using compromised websites that are spread through search engine optimization, the Malwarebytes report notes. They then add a fake question and answer session to the compromised websites to trick users into download a file.

"This template mimics a forum thread where a user asks in German for help about a specific topic and receives an answer which appears to be exactly what they were looking for," the report notes. "It’s worth noting that the hacked sites hosting this template are not German (only the template is); they simply happen to be vulnerable and are used as part of the threat actor’s infrastructure."

This fake temple also contains a malicious zip file. When downloaded, it executes the JavaScript Gootkit loader on the victims' devices, the report notes. The loader then downloads the final Trojan payload for exfiltrating victims' data

Gootkit, which has been active since 2014, is known to target victims intermittently before disappearing again. Before the November campaign that Malwarebytes analyzed, Gootkit was last known to be active in July 2019. Although it first emerged as a banking Trojan, it has since evolved to become sophisticated info-stealing malware, researchers note.

REvil Ransomware

In a few of the cases that the researchers found, the Gootkit loader also attempted to deliver REvil ransomware to the victim's devices, the report notes.

"One thing we noticed in the REvil sample we collected is that the ransom note still points to decryptor.top instead of decryptor.cc, indicating that this could be an older sample," the report notes.

But no ransomware cases associated with the campaign have been detected so far, Segura says.

REvil, which is also known as Sodinokibi, has been active since 2019. The operators are suspected of several high-profile attacks over the last year, including those targeting Travelex and Indian IT firm Cognizant.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.