Gootloader itself is written in JavaScript and is distributed by way of black hat SEO (BHSEO) campaigns that contain utilizing compromised web sites to inject rogue outcomes into search engines like google and yahoo. Gootloader search outcome poisoning campaigns usually goal key phrases for enterprise paperwork particular to totally different industries.
“Hive0127 usually targets on-line searches for contracts, authorized varieties or different business-related paperwork; for instance: ‘Is a closing assertion the identical as a grand contract?’,” researchers from X-Power clarify. “Targets are served a compromised web site modified to seem as a official discussion board on the prime of the poisoned search engine outcomes web page. Throughout the discussion board dialog, the targets are then tricked into downloading an archive file associated to their preliminary search phrases, however which truly incorporates Gootloader.”
From Gootloader to GootBot
Upon execution, Gootloader drops a malicious JavaScript file in an present folder from the %APPDATA% listing and units up a scheduled activity to make sure its persistent execution at restart. The JavaScript file then executes a PowerShell script that collects fundamental details about the system and uploads it to 10 hard-coded URLs — often compromised WordPress web sites. The script additionally searches in a loop for extra PowerShell payloads to obtain and execute from these servers.
In previous campaigns, that is the stage the place attackers deployed Cobalt Strike or different extra superior payloads. Nevertheless, the X-Power researchers lately noticed a brand new payload within the type of an obfuscated PowerShell script that reaches out to a single C2 server and waits for extra duties to execute. They named this payload GootBot because it’s a extra light-weight variant of Gootloader itself.
“As a response, GootBot expects a string consisting of a Base64-encoded payload, and the final eight characters being the duty identify,” the researchers stated. “It then decodes the payload and injects it right into a easy scriptblock earlier than executing it in a brand new background job utilizing the ‘Begin-Job’ Cmdlet. This permits the PowerShell payload to be run asynchronously and with out creating a baby course of, doubtlessly leading to much less EDR detections.”
What makes GootBot totally different is that it’s not solely deployed on the system the place Gootloader was first executed, but additionally to different methods from the identical community. The payloads that GootBot receives are PowerShell scripts used for lateral motion that enumerate community methods and the area and exfiltrate credentials by dumping the reminiscence of the LSASS course of, in addition to registry hives similar to SAM, SYSTEM, and SECURITY.
