The malware often known as GootLoader continues to be in lively use by risk actors trying to ship further payloads to compromised hosts.
“Updates to the GootLoader payload have resulted in a number of variations of GootLoader, with GootLoader 3 presently in lively use,” cybersecurity agency Cybereason mentioned in an evaluation revealed final week.
“Whereas a few of the particulars of GootLoader payloads have modified over time, an infection methods and general performance stay just like the malware’s resurgence in 2020.”
GootLoader, a malware loader a part of the Gootkit banking trojan, is linked to a risk actor named Hive0127 (aka UNC2565). It abuses JavaScript to obtain post-exploitation instruments and is distributed by way of search engine marketing (search engine optimisation) poisoning techniques.
It usually serves as a conduit for delivering varied payloads similar to Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC.
In latest months, the risk actors behind GootLoader have additionally unleashed their very own command-and-control (C2) and lateral motion device dubbed GootBot, indicating that the “group is increasing their market to achieve a wider viewers for his or her monetary positive aspects.”
Attack chains contain compromising web sites to host the GootLoader JavaScript payload by passing it off as authorized paperwork and agreements, which, when launched, units up persistence utilizing a scheduled job and executes further JavaScript to kick-start a PowerShell script for accumulating system data and awaiting additional directions.
“Websites that host these archive recordsdata leverage Search Engine Optimization (search engine optimisation) poisoning methods to lure in victims which can be trying to find business-related recordsdata similar to contract templates or authorized paperwork,” security researchers Ralph Villanueva, Kotaro Ogino, and Gal Romano mentioned.
The assaults are additionally notable for making use of supply code encoding, management circulate obfuscation, and payload dimension inflation so as to withstand evaluation and detection. One other approach entails embedding the malware in official JavaScript library recordsdata like jQuery, Lodash, Maplace.js, and tui-chart.
“GootLoader has obtained a number of updates throughout its life cycle, together with adjustments to evasion and execution functionalities,” the researchers concluded.
