fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Gootkit Malware Returns To Life Alongside REvil Ransomware

Gootkit Malware Returns To Life Alongside REvil Ransomware

After a year-long vacation, the Gootkit information-stealing Trojan has returned to life alongside REvil Ransomware in a new campaign targeting Germany.

The Gootkit Trojan is Javascript-based malware that performs various malicious activities, including remote access for threat actors, keystroke capturing, video recording, email theft, password theft, and the ability to inject malicious scripts to steal online banking credentials.

Last year, the Gootkit threat actors suffered a data leak after leaving a MongoDB database exposed on the Internet. After this breach, it was believed that the Gootkit actors had shut down their operation until they suddenly came alive again earlier this month.

Gootkit bursts back to life with ransomware partnership

Last week, a security researcher known as The Analyst told BleepingComputer that the Gootkit malware had emerged again in attacks targeting Germany.

In this new malicious campaign, threat actors are hacking WordPress sites and utilizing SEO poisoning to display fake forum posts to visitors. These posts pretend to be a question and answers with a link to fake forms or downloads.

Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds

Fake forum post showed in the Gootkit campaign

When the user clicks on the link, they will download a ZIP file containing an obfuscated JS file that will install either the Gootkit malware or the REvil ransomware.

Obfuscated JS script

This same distribution method was previously used by REvil in September 2019, around the same time that Gootkit had disappeared.

Gootkit and REvil installed in fileless attacks

In a new report released today, Malwarebytes’ researchers explain that the malicious JavaScript payloads will perform fileless attacks of either Gootkit or REvil.

When launched, the JavaScript script will connect to its command and control server and downloads another script that contains the malicious malware payload.

In Malwarebytes’ analysis, this payload is usually Gootkit, but it was also REvil ransomware in some cases.

“After conversion to ASCII, the next JavaScript is revealed, and the code is executed. This JavaScript comes with an embedded PE payload which may be either a loader for Gootkit, or for the REvil ransomware. There are also some differences in the algorithm used to deobfuscate it,” Malwarebytes stated in their report.

These payloads would be stored as Base64 encoded or hexadecimal strings in either a text file or split up into numerous Windows Registry values, as shown below.

Payload stored in the Windows Registry
Source: Malwarebytes

The loader will eventually read the Registry or text file’s payloads, decode it, and filelessly launch the process directly into memory.

Using obfuscated payloads and to break them up into pieces stored in the Registry, makes it harder for security software to detect the malicious payloads.

“The threat actors behind this campaign are using a very clever loader that performs a number of steps to evade detection. Given that the payload is stored within the registry under a randomly-named key, many security products will not be able to detect and remove it,” Malwarebytes explains.

Also Read: How a Smart Contract Audit Works and Why it is Important

An interesting discovery found by The Analyst when testing this malicious campaign was that the Revil infection dropped ransom notes used in previous attacks.

This error was likely caused by the distribution campaign using an older version of REvil ransomware and forgetting to refresh it with a newer version.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us