Multiple stage malware loaders is used to deliver GootKit Banking Trojan
“Spam email campaign” a well known term that every may listen it before. It is phishing campaign by which malicious viruses are distributed on a compromised machine. In the campaign, as you know, spam emails are sending out on the Internet containing a payload of some malware in an attachment file. Clicking of the attachment makes the payload to activate and install the associated malware inside the system.
This method of malware intrusion has been observed the GootKit Banking Trojan, which by its names is designed and delivered for the sole motive to steal banking credentials from the users’ compromised machine. The GootKit virus, known with for the other two names talepek or XswKit has found to be distributed by using signed emails services such as Posta Electtronica (PEC) used in Italy, Switzerland and Hong Kong so that the scammers can convince the recipients into believing on the contents written on it and open the malicious attachments provided on it.
Multiple stages malware loader is used
GootKit is distributed with multi-stage malware loader dubbed JasperLoader over past few years. For your information, the malware loader is one that does a job of dropping various malware payloads onto the recipients’ machines easily.
JasperLoader is the third one loader that has been observed recently by Cisco Talos research team. The other two is Smoke Loader and Brushloader. The former one being employed to drop ransomware payload whereas the later one makes the use of Living-of-the-Land (LotL) tools such as Powershell scripts to remain undetected.