After a year of lull, the Gootkit data-stealing Trojan is again used by cybercriminals. According to a security researcher under the pseudonym The Analyst, last week the Trojan was used in conjunction with the ransomware REvil in a malicious campaign aimed at users in Germany.
Gootkit is a Javascript-based Trojan capable of performing a range of malicious functions, including providing its operators with remote access to an infected system, recording keyboard keystrokes, recording videos, stealing emails and passwords, and injecting malicious scripts to steal banking data.
Last year, cybercriminal group Gootkit became the victim of a data breach, inadvertently leaving an unsecured MongoDB database in the public domain. The Trojan operators were thought to have scaled back their activities following the incident, but they returned to service last month.
In a new campaign, cybercriminals are hacking WordPress sites and using a technique known as SEO poisoning to force them to redirect visitors to fake form posts. Attackers portray these posts as questions and answers with links to fake forms and downloads.
According to Malwarebytes, when a user clicked on the link, a ZIP archive containing an obfuscated JS file was downloaded to their computer, installing either the Gootkit Trojan or the REvil ransomware. The same method of attack was used by the REvil operators in September 2019, right at the time that the Gootkit group allegedly ceased to exist.