The GootLoader malware continues to pose significant risks as cybercriminals exploit it to deploy new payloads onto infected systems. This malware has seen active use by threat actors aiming to target various organizations, particularly in legal and professional sectors, as reported by the cybersecurity firm Cybereason.
Recent analysis from Cybereason highlights that GootLoader has undergone various updates, with the latest version, GootLoader 3, currently being utilized in attacks. While changes have been made to GootLoader’s payloads, its infection strategies and overall operational framework remain largely consistent with its resurgence observed in 2020.
GootLoader acts as a malware loader linked to the Gootkit banking trojan, attributed to a cyber threat actor identified as Hive0127, or UNC2565. This malware leverages JavaScript for downloading post-exploitation tools and is disseminated through search engine optimization (SEO) poisoned results. Typically, GootLoader is instrumental in delivering a range of payloads, including Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC, marking it as a multifaceted threat.
In recent months, those behind GootLoader have developed a new command-and-control tool known as GootBot. This evolution signals an expansion of the threat group’s capabilities, allowing them to further engage in lateral movements within compromised networks.
Attack vectors often involve compromising legitimate websites to host the malicious GootLoader JavaScript payload, disguised as lawful documents. Upon execution, this payload establishes persistence through scheduled tasks and initiates additional JavaScript, which launches a PowerShell script to gather system data and await further commands.
Security researchers have indicated that the compromised sites employ SEO poisoning techniques to lure victims seeking business-related documents, such as contract templates. Notably, GootLoader’s attacks incorporate advanced techniques such as source code encoding and control flow obfuscation to evade detection, alongside embedding the malware within legitimate JavaScript libraries.
According to findings by researchers, GootLoader has evolved significantly over its operational lifespan, with enhancements made to its evasion tactics and execution functionalities that bolster its resilience against analysis and detection mechanisms.
Update
In response to GootLoader’s complex anti-analysis methods, researchers from Palo Alto Networks’ Unit 42 have outlined methodologies utilizing Visual Studio Code’s Node.js debugging capabilities. They elucidate how the malware creators implement complex techniques, such as time-consuming while loops and an array of functions to intentionally delay the execution of malicious code, thereby complicating efforts to analyze GootLoader’s activities.
The ongoing GootLoader campaigns present clear cybersecurity threats to organizations and necessitate vigilance. As attackers continue to refine their tactics, employing the MITRE ATT&CK framework can help understand the potential adversary techniques involved, including initial access via compromised websites, persistence through scheduled tasks, and stealthy data collection methods. The evolving nature of this malware and its diverse payload delivery methods underscore the importance for organizations to bolster their cybersecurity measures to stay ahead of emerging threats.
