Nothing stands still, especially in information technology, related both to the security of systems and to the evolution of tools and strategies of cybercriminals.


It is worth noting that the analysis of viral development trends at this time suggests that relatively few radically new objects are created: preference is given to fairly successful areas, protection from which is “on the verge of a foul” – that is, a point change that does not bring cardinal closures of the direction of the attack vector.



As a result, only a relatively small change in the components, the interaction mode – and new soldiers are ready in an unequal battle…


The strategic changes of the last couple of years are a constant change of positions, working with similar modular blocks that are capable of rapid modifications of both their own code and the polymorphic behavior model inside the infected system, which, of course, brings additional difficulties to analysts when determining and reconstructing the initial version of the system.

Now, after the high-profile hacks of last year – in particular, sites on WordPress, through SEO-sending-it turns out that through Google search and ranking, users see primarily malicious links, go to fake sites, where a link to the malware is published.


Tellingly, it is also used to hack and modify the content management system of hacked sites (CMS) to change and configure geolocation identifiers in the desired mode…


The malicious component delivery system itself-Gootloader-evolved from a data theft module called Gootkit. Now it has grown to a fairly complex system with a hidden structure for moving components deployed sequentially in the target system.


Gootloader now works with approximately 400 controlled sites to maintain a level of security and provide users with information from geographically dispersed locations, the main ones being the United States, South Korea, France and Germany.


In addition to the main component (Gootkit and REvil), this mode allows you to add Kronos and Cobalt Strike to the target system. That is, everything is in place: ransomware, Trojans, and emulation tools…

In the future, through a multi-pass mode of action, designed to distract the attention of antiviruses and not give information to analytical detection systems, interspersing its own modules and the use of system components, the malware begins its activity.

To block attacks of this level, analysts recommend the use of script blockers, but not everyone is ready to use such tools on a regular basis. In addition, this step jeopardizes many advertising areas in the work of sites…

Leave a Reply

Your email address will not be published. Required fields are marked *

GPD Host Contacts
GPD Host Social
Pay with Confidence

Copyright © 2015 - 2020 GPD Host All right reserved.

Warning: Invalid argument supplied for foreach() in /var/www/vhosts/ on line 2652