The latest iteration of GootLoader malware, known as GootBot, enables lateral movement within compromised systems while successfully evading detection.
As per IBM X-Force researchers, the inclusion of a custom bot in the final phases of the attack is an endeavor to elude detection.
GootLoader malware
The novel variant is a lean yet potent malware that empowers attackers to swiftly propagate through networks and craft additional malicious payloads.
GootLoader is a malware that employs search engine optimization (SEO) poisoning tactics to entice potential victims and subsequently download additional malware. It maintains a connection with a hacking group known as Hive0127 (also referred to as UNC2565).
The utilization of GootBot signifies a shift in tactics, with the implant being downloaded as a payload subsequent to GootLoader infection, eliminating the need for post-exploitation frameworks like CobaltStrike.
GootBot, characterized as an obfuscated PowerShell script, is crafted to establish a connection to a compromised WordPress website for command and control purposes and to receive additional directives.
Further complicating matters is the use of a unique hard-coded C2 server for each GootBot sample submitted, making it difficult to block malicious traffic.
The researchers stated, “The ongoing campaigns under surveillance utilize SEO-poisoned searches related to topics such as contracts, legal forms, or other business-related documents. These campaigns direct unsuspecting victims to compromised websites, cleverly designed to mimic legitimate forums, where they are deceived into downloading the payload disguised as an archive file.”
The archive file contains an obfuscated JavaScript file that, during runtime, fetches another JavaScript file, which is activated through a scheduled task in order to establish persistence.
In the second stage, the JavaScript is configured to run a PowerShell script, which collects system information and transmits it to a remote server. In response, the remote server deploys a PowerShell script that enables the attacker to disseminate other malicious payloads.
This encompasses GootBot, which communicates with its Command and Control (C2) server every 60 seconds to fetch PowerShell tasks for execution and subsequently sends the execution results back to the server via HTTP POST requests.
Some of GootBot’s other capabilities are reconnaissance and lateral movement in the environment, effectively extending the attack.
“The identification of this GootBot variant underscores the extent to which attackers are striving to evade detection and maintain stealth,” noted the researchers. “These alterations in tactics, techniques, and tools heighten the risk of successful post-exploitation phases, potentially leading to the development of ransomware associated with GootLoader.”
The new GootLoader variant poses significant and severe risks, potentially resulting in system damage, unauthorized access to sensitive data, and privacy breaches, including identity theft.
Furthermore, as previously noted, it can be utilized to deploy additional malicious software, such as ransomware or spyware, exacerbating the potential for harm.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment