GootLoader malware remains actively used by threat actors to deliver various payloads to compromised systems. Recent updates have led to multiple versions of GootLoader, with the latest, GootLoader 3, currently in circulation. Despite some changes in the payload specifics, the malware’s infection methods and overall functionality have stayed consistent since its resurgence in 2020.
GootLoader, part of the Gootkit banking trojan, is linked to the threat actor group Hive0127 (also known as UNC2565). It employs JavaScript for post-exploitation activities and is distributed through search engine optimization (SEO) poisoning tactics. The malware acts as a loader for other malicious payloads such as Cobalt Strike, IcedID, Kronos, and REvil.
The threat actors behind GootLoader have also developed their own command-and-control (C2) tool named GootBot, indicating an expansion in their operations. Attack chains involve compromising websites to host GootLoader JavaScript payloads disguised as legitimate documents. This approach uses scheduled tasks and additional JavaScript to collect system information and await further instructions.
Recent analyses reveal that GootLoader employs advanced evasion techniques including source code encoding and control flow obfuscation to avoid detection. Additionally, it can be embedded in legitimate JavaScript libraries. Researchers have shown how to bypass these evasion techniques using Visual Studio Code’s Node.js debugging tools, highlighting the sophisticated measures taken by the malware creators.
Reference:
