The malware delivery method used by threat actors behind the REvil ransomware and the Gootkit banking trojan has evolved into multi-payload platform designed to deliver a wider variety of malware. Dubbed ‘Gootloader’ by Sophos researchers, the framework has been observed to deploy an array of malware payloads in attacks against users in South Korea, Germany, France and the United States.

In the latest campaigns the Gootloader framework has been used to deliver the Kronos trojan and Cobalt Strike in addition to the REvil and Gootkit malware.

“In its latest attempts to evade detection by endpoint security tools, Gootloader has moved as much of its infection infrastructure to a “fileless” methodology as possible. While it isn’t completely fileless, these techniques are effective at evading detection over a network – right up to the point where the malicious activity trips over behavioral detection rules,” Sophos Labs explains.

The Gootloader infection chain starts with sophisticated social engineering techniques that involve hacked websites, malicious ZIP archive files hosted on websites belonging to legitimate businesses, and manipulated search engine optimization (SEO). When a user types a question into a search engine such as Google, the hacked websites appear in search results.

When the visitor clicks the “direct download link” provided on the web page, they receive a .zip archive file with a filename that exactly matches the search query terms used in the initial search. This archive contains a .js file, which is the initial infector. At this stage of the infection a malicious file is written to the filesystem, however, everything that happens after the victim double-clicks the script runs entirely in memory.

The researchers have not been able to determine how the attackers gained access to websites in the first place. It is possible that the hackers could have done this by using the sites’ passwords stolen by the Gootkit malware or obtained from criminal markets that sell stolen credentials, or by leveraging any of a number of security exploits in the plugins or add-ons of the CMS software.

Following the website’s compromise, the attackers ins ert a few additional lines of code in to the web page. The first-stage script, which is obfuscated, attempts to contact the command-and-control (C2) server. If the attempt is successful, the second-stage malware process then creates an auto-run entry for a PowerShell script that doesn’t execute until the system reboots, creating an effective way for attackers to evade detection.

“At several points, it’s possible for end users to avoid the infection, if they recognize the signs. The problem is that, even trained people can easily be fooled by the chain of social engineering tricks Gootloader’s creators use. Script blockers like NoScript for Firefox could help a cautious web surfer remain safe by preventing the initial replacement of the hacked web page to happen, but not everyone uses those tools (or finds them convenient or even intuitive). Even attentive users who are aware of the trick involving the fake forum page might not recognize it until it’s too late,” Sophos warns.