A new type of GootLoader malware is hard to catch and spreads quickly.
In recent findings, a novel variant of GootLoader malware, known as GootBot, has been identified as a powerful tool that allows hackers to maneuver within already compromised systems without detection.
"The GootLoader group added their own custom bot to the end of their attack chain to avoid being caught when they use commercial C2 tools like CobaltStrike or RDP," IBM X-Force analysts Golo Mühr and Ole Villadsen explained.
Mühr and Villadsen further elaborate, "This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads."
True to its name, GootLoader operates as a malicious software that specializes in the acquisition of additional malware by luring unsuspecting users through Search Engine Optimization (SEO) poisoning techniques. Notably, it is associated with the threat actor Hive0127, alternatively identified as UNC2565.
An intriguing shift in strategy is observed with the introduction of GootBot. Unlike its predecessors, this implant is now obtained as a payload subsequent to a GootLoader infection, marking a departure from the previous reliance on post-exploitation tools such as CobaltStrike.
GootBot is reported to be an obfuscated PowerShell script designed with the purpose of establishing connections with compromised WordPress websites, effectively seizing control of them and awaiting further instructions.
Adding to the complexity, each deployed GootBot sample features a distinct hard-coded Command and Control (C2) server. This variation in C2 servers poses a significant challenge in mitigating malicious traffic, as it hinders the ability to predict and prevent these connections.
领英推荐
"Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file," said the researchers.
Within the archive file, a concealed JavaScript file lies in wait. When executed, this file proceeds to retrieve another JavaScript file, which is summoned by a scheduled job, ensuring its persistence.
In the second stage, the JavaScript is meticulously programmed to initiate a PowerShell script, which is responsible for gathering system information and transmitting it to a remote server. In response, the remote server dispatches its own PowerShell script, which operates indefinitely, granting threat actors the ability to send a variety of payloads as needed.
Among the tasks assigned to GootBot, it is programmed to connect with its Command and Control (C2) server at 60-second intervals, receiving PowerShell tasks to execute and subsequently transmitting the results of these operations back to the server via HTTP POST requests.
GootBot exhibits versatile capabilities, including espionage within its operational environment and lateral movement, enabling the attack to scale across a broader scope.
"The discovery of the Gootbot variant highlights the lengths to which attackers will go to evade detection and operate in stealth," they said.?
"This shift in TTPs and tooling heightens the risk of successful post-exploitation stages, such as GootLoader-linked ransomware affiliate activity."