As early as November 23, the researchers received an alert from a partner about a recurrence of the German gootkit attack. Goodkit is a powerful bank Trojan horse that has existed since 2014 and has many functions, such as buttons or video records designed to steal financial related information.
In the latest activities, attackers use the bait forum template to lure users to download malicious files, thus relying on the attacked website to carry out social engineering on users.
When analyzing complex malware loaders, the researchers found a surprising finding. The victim will receive the gootkit itself or, in some cases, the Revil (sodinokibi) ransomware. After a review of the crime infrastructure, it is decided whether to provide a payload.
The analyst, a security researcher, first publicly identified an active sample of gootkit attacks using a complex loader in November. The loader eventually pointed the main agent behind the scenes to goodkit, which had been silent for a long time. The German computer emergency response team DFN-CERT later confirmed that the attacked website had become the target of the attack.
Around the same time, researchers began to receive reports of gootkit related traffic from some partners and their ISPs. The researchers were able to confirm all gootkit tests in Germany within the telemetry range.
A few days later, researchers repaired more than 600 damaged computers.
The initial loader spreads through hacked websites and uses an interesting search engine optimization (SEO) technology to customize fake templates in an attempt to trick users into downloading files.
The template mimics a forum topic in which users ask in German for help on a specific topic and receive an answer that appears to be exactly what they are looking for. It is worth noting that the hacked sites hosting this template are not German (only templates); they are just vulnerable and used as part of the attack infrastructure.