In addition, Italian cybersecurity firm Cleafy researchers Federico Valentini and Alessandro Strino reported an ongoing financial fraud campaign since at least 2019 that leverages a new web-inject toolkit called drIBAN. The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments, altering legitimate banking transfers performed by the victims and transferring money to an illegitimate bank account.
These accounts are either controlled by the threat actors or their affiliates, who are then tasked with laundering the stolen funds. The fraudulent transactions are often realized by means of a technique called Automated Transfer System (ATS) that's capable of bypassing anti-fraud systems put in place by banks and initiating unauthorized wire transfers from a victim's own computer.
The operators behind drIBAN have become more adept at avoiding detection and developing effective social engineering strategies, in addition to establishing a foothold for long periods in corporate bank networks. Furthermore, there are indications that the activity cluster overlaps with a 2018 campaign mounted by an actor tracked by Proofpoint as TA554 targeting users in Canada, Italy, and the U.K.
Organisations need to be aware of these threats and take immediate action to protect their systems from cyberattacks. The ACN has reported that dozens of Italian organisations have been likely affected by the global ransomware attack and many more have been warned to take action to avoid being locked out of their systems.
Mandiant Managed Defense has reliably resolved GOOTLOADER infections since January 2021. When spreading GOOTLOADER, malicious actors cast a wide net, affecting a variety of industrial verticals and geographical areas.
Gootkit Malware
The Gootkit Trojan is Javascript-based malware that carries out a number of malicious tasks, such as authorizing threat actors remote access, recording video, capturing keystrokes, stealing emails, stealing passwords, and having the ability to inject malicious files to steal online banking login details.
Gootkit previously spread malware in the disguise of freeware installers, but now it deceives users into downloading these files by presenting them as legal documents. A user enters a search query into a search engine to begin the attack chain.
Mandiant Managed Defense believes that UNC2565, a group it tracks, is the sole group that the GOOTLOADER virus and infrastructure belong to at this time. Due to these breaches' rapid detection and mitigation, Mandiant's observation of post-compromise GOOTLOADER activities has mostly been restricted to internal surveillance.
If the GOOTLOADER file is successfully executed, other payloads like FONELAUNCH and Cobalt Strike BEACON or SNOWCONE that are saved in the registry will be downloaded. Future phases include PowerShell being used to execute these payloads.
The. NET-based loader FONELAUNCH is intended to load an encoded payload into memory, while the downloader SNOWCONE is responsible for obtaining next-stage payloads, notably IcedID, through HTTP.
The primary aims of Gootkit have remained the same, however, the attack process has undergone substantial modifications. Currently, the JavaScript file contained in the ZIP archive is trojanized and contains a different JavaScript file that is obfuscated and then begins to execute the malware.
Furthermore, to avoid detection, the malware's creators allegedly used three distinct strategies to cloak Gootkit, including hiding the code inside modified versions of trustworthy JavaScript libraries like jQuery, Chroma.js, and Underscore.js. These modifications show how actively developing and expanding UNC2565's capabilities remain.