{"id":641686,"date":"2023-04-26T10:05:43","date_gmt":"2023-04-26T15:05:43","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/04\/26\/researchers-deal-blow-to-gootloader-gang-that-supported-revil\/"},"modified":"2023-04-26T10:05:43","modified_gmt":"2023-04-26T15:05:43","slug":"researchers-deal-blow-to-gootloader-gang-that-supported-revil","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/04\/26\/researchers-deal-blow-to-gootloader-gang-that-supported-revil\/","title":{"rendered":"Researchers deal blow to Gootloader gang that supported REvil"},"content":{"rendered":"<div id=\"content-header\">\n<h2>Thousands of compromised WordPress blogs have been spreading the Gootloader malware for years, but eSentire\u2019s security research team are turning the tables on the gang that played a key role in REvil ransomware attacks<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"Alex Scroxton\">\n\t\t\t\t\t<\/p>\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"https:\/\/www.techtarget.com\/contributor\/Alex-Scroxton\">Alex Scroxton,<\/a><br \/>\n\t\t\t\t\t\t<span>Security Editor<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n<p>\n\tPublished: <span>26 Apr 2023 15:00<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p>Security researchers at <a href=\"https:\/\/www.computerweekly.com\/microscope\/news\/252529610\/MDR-resonating-as-an-option-with-both-channel-and-customers\">managed detection and response<\/a> (MDR) specialist <a href=\"https:\/\/www.esentire.com\/\">eSentire<\/a> have revealed how they are turning the tables on an expansive cyber crime operation that has lured in thousands of people working at law firms and in-house legal departments in the UK, Australia, Canada and the US over the past 15 months.<\/p>\n<p>Known as Gootloader, the operation specialises in obtaining initial access to victim networks and then offers this on an as-a-service basis to downstream cyber criminals, including the REvil ransomware operation <a href=\"https:\/\/www.computerweekly.com\/news\/252483193\/Law-firm-hackers-threaten-to-release-dirt-on-Trump\">which hacked a law firm representing the then US president Donald Trump<\/a> in 2020.<\/p>\n<p>Gootloader has been a long-standing threat since at least 2020, and was named as <a href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa22-216a\">one of CISA\u2019s top threats in 2021<\/a>.<\/p>\n<p>ESentire\u2019s Threat Response Unit (TRU), led by Joe Stewart and Keegan Keplinger, has stopped attacks on 12 different organisations in which employees were lured to compromised WordPress blogs that Gootloader\u2019s operators have gamed to the top of Google search rankings using a technique known as <a href=\"https:\/\/www.techtarget.com\/whatis\/definition\/search-poisoning\">search engine optimisation (SEO) poisoning<\/a>.<\/p>\n<p>From these blogs, they were prompted to download the Gootloader malware disguised as fake legal agreements and contracts, thus giving the operation access to their system.<\/p>\n<p>\u201cGootloader is a cunning and dangerous threat that preys on those seeking business information and legal forms online,\u201d said Stewart. \u201cInnocent users can be easily lured in by Gootloader\u2019s fake posts, unknowingly exposing themselves to ransomware attacks.<\/p>\n<p>\u201cIt\u2019s like a trap, waiting in the shadows for its next unsuspecting victim to stumble into its grasp. It\u2019s up to security researchers to shine a light on this dark corner of the internet and protect those who are just trying to find the information they need to get their job done.\u201d<\/p>\n<section data-menu-title=\"How it works\">\n<h3><i data-icon=\"1\"><\/i>How it works<\/h3>\n<p>In the case of Gootloader, the operation keeps its cards close to its chest in such a way that the malicious payloads are never displayed to logged-in users of the compromised WordPress sites, meaning even the site admins may be entirely aware they are being taken advantage of. It also blocks the IP addresses of the admins, and several netblocks above and below their IP addresses to stop them from viewing the malicious pages even if they log out of WordPress.<\/p>\n<p>These blocklist features are also built into the server that actually delivers the malicious payload \u2013 a victim can only receive it once, and will then be blocked for 24 hours across any Gootloader-compromised site.<\/p>\n<p>This may seem a little counter-intuitive, but it is in part an obfuscation tactic as it is a barrier to investigation by researchers or incident responders \u2013 who must then obfuscate their own identities if they wish to revisit a compromised site.<\/p>\n<p>It\u2019s this feature that Stewart and Keplinger have now turned to their advantage. Each time a victim arrives, the Gootloader server receives several different types of data, including their IP address, which is the relevant factor here.<\/p>\n<p>Because the server relies on the compromised blog to feed it said IP address, it\u2019s possible to block any IPv4 address on the internet from seeing any Gootloader compromised blog by crafting a \u201cmalicious\u201d request to the server that emulates a \u201clegitimate\u201d request.<\/p>\n<p>Furthermore, because the Gootloader server blocks netblocks of IP addresses above and below the victim\u2019s IP address, it\u2019s possible to protect the entire global IPv4 network space by sending a total of 800,000 requests to the Gootloader server every 24 hours.<\/p>\n<p>But it doesn\u2019t stop here. By \u201cabusing\u201d the blocklist that keeps WordPress site admins in the dark, Stewart and Keplinger were also able to use proxy IP addresses to block a large swathe of the internet permanently \u2013 although only from Gootloader sites that have user registration or use third-party OAUTH logins enabled.<\/p>\n<p>The researchers claimed that since implementing these techniques against Gootloader across the eSentire MDR for Network service, not a single customer has been compromised. Stewart and Keplinger are now spreading the word further through partnerships and collaborations with others.<\/p>\n<p>\u201cBy leveraging the Gootloader threat actor\u2019s own criteria for delivering payloads, we were able to block thousands of IPs from receiving the Gootloader payload, significantly reducing the potential victim pool,\u201d said Stewart.<\/p>\n<p>\u201cIt was a unique approach that helped us disrupt the Gootloader Operation and protect innocent users from falling prey to this dangerous malware,\u201d he said. \u201cI\u2019m proud of the work we\u2019ve done to combat this threat, and I hope our approach inspires others to adopt similar tactics to protect against malware.<\/p>\n<p>\u201cBuilding a crawler to uncover the hundreds of thousands of latent Gootloader landing pages on compromised WordPress blogs was no small feat. It required significant research and development time to create a tool that could efficiently crawl and identify these pages. However, the payoff in terms of uncovering these landing pages and sharing this information with other security researchers and organisations made it all worth it. By collaborating and sharing our findings, we can work together to combat this dangerous malware and protect innocent victims from becoming the next target for Gootloader\u2019s ransomware operator\u2019s customers.\u201d<\/p>\n<p>Nevertheless, Stewart said it was also imperative that those who operate WordPress sites in their organisations take more steps to improve their own cyber security and protect themselves from being <a href=\"https:\/\/github.com\/esThreatIntelligence\/GootLoader\">coopted into Gootloader\u2019s bait pool<\/a>.<\/p>\n<p>\u201cBy neglecting site security, operators are putting not only their own data at risk, but also contributing to a larger issue that threatens the safety and security of the internet as a whole,\u201d he said. \u201cIt\u2019s every website owner\u2019s duty to secure their web properties and help prevent malware like Gootloader from using their sites to harm innocent users.\u201d<\/p>\n<\/section>\n<section data-menu-title=\"REvil connections\">\n<h3><i data-icon=\"1\"><\/i>REvil connections<\/h3>\n<p>During the course of their work, Stewart and Keplinger additionally firmed up long-posited links between Gootloader and the notorious REvil ransomware crew, which wrought havoc over a multi-year period \u2013 their most significant operation <a href=\"https:\/\/www.computerweekly.com\/news\/252503550\/REvil-crew-wants-70m-in-Kaseya-ransomware-heist\">arguably being the Kaseya supply chain attack<\/a>.<\/p>\n<p>By analysing the timing of various REvil campaigns targeting English, French, German and Korean speaking organisations, and specifically law firms in English-speaking countries, they have now proved the two worked together from 2019 \u2013 <a href=\"https:\/\/www.computerweekly.com\/news\/252471194\/GandCrab-ransomware-writers-still-active-despite-retirement\">when REvil first emerged as a successor to Gandcrab<\/a> \u2013 through to 2022.<\/p>\n<p>They believe that Gootloader was almost continuously feeding victims to REvil and as such was an \u201cintegral factor\u201d in the ransomware gang\u2019s success, and because Gootloader is still actively netting victims, it\u2019s possible its operators are working with a successor operation to REvil to this day, or worse, Russian state-backed groups, as Keplinger explained.<\/p>\n<p>\u201cMany [REvil members] were allegedly <a href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252513401\/Fallout-from-REvil-arrests-shakes-up-ransomware-landscape\">arrested by the Russian government in January 2022<\/a>, just before the Ukraine invasion,\u201d he said.<\/p>\n<p>\u201cFollowing Russia\u2019s invasion of Ukraine in 2022, prosecution of REvil gang members appeared to stall, just as it was recently reported that some of the defendants\u2019 attorneys were suggesting that their clients \u2018be released to work for Russian security services\u2019 and that \u2018the unique experience of the former defendants would certainly be useful to the Russian special services in the fight against hackers from Ukraine\u2019.\u201d<\/p>\n<\/section>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on Hackers and cybercrime prevention<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.computerweekly.com\/news\/252528897\/Warning-over-ransomware-attacks-spreading-via-Fortinet-kit\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/network-security-padlocks-world-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/network-security-padlocks-world-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/network-security-padlocks-world-adobe.jpg 1280w\" alt ><\/p>\n<h5>Warning over ransomware attacks spreading via Fortinet kit<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.computerweekly.com\/news\/252518036\/Analysts-confirm-return-of-REvil-ransomware-gang\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/ransomware-attack-computer-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/ransomware-attack-computer-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/ransomware-attack-computer-adobe.jpg 1280w\" alt ><\/p>\n<h5>Analysts confirm return of REvil ransomware gang<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252518027\/New-clues-point-to-REvil-ransomware-gangs-return\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g943330284_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g943330284_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g943330284.jpg 1280w\" alt ><\/p>\n<h5>New clues point to REvil ransomware gang&#8217;s return<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/nicholas_shaun.jpg\" alt=\"ShaunNichols\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Shaun\u00a0Nichols<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/news\/252516434\/REvil-ransomware-attacks-resume-but-operators-are-unknown\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g688123960_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g688123960_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/ransom_g688123960.jpg 1280w\" alt ><\/p>\n<h5>REvil ransomware attacks resume, but operators are unknown<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/nicholas_shaun.jpg\" alt=\"ShaunNichols\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Shaun\u00a0Nichols<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/365535812\/Researchers-deal-blow-to-Gootloader-gang-that-supported-REvil\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Lawanda Motsinger<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Thousands of compromised WordPress blogs have been spreading the Gootloader malware for years, but eSentire\u2019s security research team are turning the tables on the gang that played a key role in REvil ransomware attacks By Alex Scroxton, Security Editor Published: 26 Apr 2023 15:00 Security researchers at managed detection and response (MDR) specialist eSentire have<\/p>\n","protected":false},"author":1,"featured_media":641687,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[122011,5016,46],"tags":[],"class_list":["post-641686","post","type-post","status-publish","format-standard","has-post-thumbnail","category-gootloader","category-researchers","category-technology"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/641686","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=641686"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/641686\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/641687"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=641686"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=641686"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=641686"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}