Threat actors are utilizing the GootLoader malware, which is still actively deployed to compromise hosts and transmit additional payloads.
A recent analysis by Cybereason revealed that various versions of GootLoader, including GootLoader 3, are currently being utilized, showcasing the continual evolution of this malicious payload.
Despite changes in the specifics of GootLoader payloads over time, its infection tactics and overall functionality have remained consistent since its resurgence in 2020.
GootLoader, categorized as a malware loader associated with the Gootkit banking trojan, is connected to threat actor Hive0127 (aka UNC2565). This malware leverages JavaScript to download post-exploitation tools and is spread through search engine optimization (SEO) poisoning techniques.
Its primary purpose is to act as a conduit for delivering various malicious payloads like Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC.
In recent developments, the operators behind GootLoader have introduced their own command-and-control (C2) and lateral movement tool called GootBot, expanding their reach to accommodate a broader audience for financial gains.
The attack process involves compromising websites to host the GootLoader JavaScript payload by disguising it as legal documents, such as contracts or agreements. Upon execution, this payload establishes persistence using a scheduled task and initiates additional JavaScript to trigger a PowerShell script for gathering system data and waiting for further directives.
According to security researchers Ralph Villanueva, Kotaro Ogino, and Gal Romano, websites hosting these archive files employ Search Engine Optimization (SEO) poisoning tactics to attract victims searching for business-related files like contract templates or legal documents.
These attacks are crafted to evade analysis and detection by utilizing techniques such as source code encoding, control flow obfuscation, and payload size inflation. Another tactic involves hiding the malware within legitimate JavaScript library files such as jQuery, Lodash, Maplace.js, and tui-chart.
“Throughout its lifecycle, GootLoader has undergone multiple updates, enhancing its evasion and execution functionalities,” the researchers stated.
About Author
