Recently Malwarebytes researchers have released a report stating that Gootkit information-stealing trojan has returned back to work after a long break, and is working alongside REvil (Sodinokibi) ransomware in a new campaign.
The emerging duo
According to the report, security researcher TheAnalyst had identified the emergence of the Gootkit malware targeting Germany in November, for which Germany’s DFN-CERT had issued a warning.
- In the wake of the campaign, this trojan and ransomware partnership is relying on compromised websites such as WordPress to socially engineer users by using a decoy forum template.
- The campaign utilizes SEO poisoning techniques instructing potential victims to download a malicious file. These malicious files are embedded with PE payloads to perform fileless attacks of either Gootkit or REvil.
- It uses a sophisticated loader that performs a number of steps to evade detection.
- The role of REvil in this malicious campaign was to drop ransom notes used in previous attacks that were likely created during the use of an older version of the ransomware.
Recent partnerships in the cyberworld
Recently, several banking malware have been observed turning into loaders for delivering ransomware and performing sophisticated attacks to target high-profile victims.
- In November, Cisco Talos threat researchers observed a series of ransomware attacks on healthcare organizations using TrickBot as a dropper to deploy Ryuk and Conti ransomware as payloads.
- Furthermore, Check Point Research had reported that TrickBot and Emotet had topped the Global Threat Index for October 2020, and were being used for distributing ransomware against hospitals and healthcare providers.
Several ransomware gangs have entered into partnerships with DDoS hackers and other malware groups to extort victims. Such collaborations have prompted cybercriminals to launch more malware infections and ransomware campaigns on compromised devices.