The threat actors associated with the Gootkit malware have made “notable changes” to their toolset, adding new components and obfuscations to their infection chains.
Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, noting that the usage of the malware is “exclusive to this group.”
Gootkit, also called Gootloader, is spread through compromised websites that victims are tricked into visiting when searching for business-related documents like agreements and contracts via a technique called search engine optimization (SEO) poisoning.
FONELAUNCH is a .NET-based loader designed to load an encoded payload into memory, and SNOWCONE is a downloader that’s tasked with retrieving next-stage payloads, typically IcedID, via HTTP.
The new variant, which was spotted by the threat intelligence firm in November 2022, is being tracked as GOOTLOADER.POWERSHELL. It’s worth noting that the revamped infection chain was also documented by Trend Micro earlier this month, detailing Gootkit attacks targeting the Australian healthcare sector.
It’s not just Gootkit, as three different flavors of FONELAUNCH – FONELAUNCH.FAX, FONELAUNCH.PHONE, and FONELAUNCH.DIALTONE – have been put to use by UNC2565 since May 2021 to execute DLLs, .NET binaries, and PE files, indicating that the malware arsenal is being continuously maintained and updated.
“These changes are illustrative of UNC2565’s active development and growth in capabilities,” Mandiant researchers Govand Sinjari and Andy Morales said.