Follow-on activity varies. In 2021, Red Canary saw operators use Gootkit to deliver Cobalt Strike. Though we didn’t observe any ransomware in that intrusion, the intrusion chain mirrored public reporting of compromises where victims’ networks were ultimately encrypted with Sodinokibi (REvil) ransomware. Based on public research and follow-on activity observed in customer environments last year, it’s likely that Gootkit operators facilitate ransomware-as-a-service (RaaS) activity in some cases, either deploying other payloads directly or selling access to environments with Gootkit infections. We have also observed Gootkit dropping the Osiris banking trojan.
While we’ve observed Gootkit detections in customer environments across multiple sectors, almost without exception, infections occurred after victims visited compromised websites purporting to host content related to legal or financial agreements. Victims were likely directed to these sites after initiating queries in common search engines with keywords such as “agreement,” “contract,” and the names of various financial institutions. Given the volume of Gootkit detections and the range of victims, this threat is likely more opportunistic than targeted to a specific industry or organization. Accordingly, Gootkit remains a threat to all organizations.
One hypothesis as to why we observe Gootkit so frequently is that it is downloaded from sites victims navigated to based on search results they initiated themselves, as we further discuss in the user-initiated initial access section.