Article Details
Scrape Timestamp (UTC): 2024-07-05 08:42:43.664
Source: https://thehackernews.com/2024/07/gootloader-malware-delivers-new.html
Original Article Text
Click to Toggle View
GootLoader Malware Delivers New Payloads with GootLoader 3. The malware known as GootLoader continues to be in active use by threat actors looking to deliver additional payloads to compromised hosts. "Updates to the GootLoader payload have resulted in several versions of GootLoader, with GootLoader 3 currently in active use," cybersecurity firm Cybereason said in an analysis published last week. "While some of the particulars of GootLoader payloads have changed over time, infection strategies and overall functionality remain similar to the malware's resurgence in 2020." GootLoader, a malware loader part of the Gootkit banking trojan, is linked to a threat actor named Hive0127 (aka UNC2565). It abuses JavaScript to download post-exploitation tools and is distributed via search engine optimization (SEO) poisoning tactics. It typically serves as a conduit for delivering various payloads such as Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC. In recent months, the threat actors behind GootLoader have also unleashed their own command-and-control (C2) and lateral movement tool dubbed GootBot, indicating that the "group is expanding their market to gain a wider audience for their financial gains." Attack chains involve compromising websites to host the GootLoader JavaScript payload by passing it off as legal documents and agreements, which, when launched, sets up persistence using a scheduled task and executes additional JavaScript to kick-start a PowerShell script for collecting system information and awaiting further instructions. "Sites that host these archive files leverage Search Engine Optimization (SEO) poisoning techniques to lure in victims that are searching for business-related files such as contract templates or legal documents," security researchers Ralph Villanueva, Kotaro Ogino, and Gal Romano said. The attacks are also notable for making use of source code encoding, control flow obfuscation, and payload size inflation in order to resist analysis and detection. Another technique entails embedding the malware in legitimate JavaScript library files like jQuery, Lodash, Maplace.js, and tui-chart. "GootLoader has received several updates during its life cycle, including changes to evasion and execution functionalities," the researchers concluded. Continuous Attack Surface Discovery & Penetration Testing Continuously discover, prioritize, & mitigate exposures with evidence-backed ASM, Pentesting, and Red Teaming.
Daily Brief Summary
GootLoader malware has been updated to version 3, expanding its functionality and distribution techniques.
The malware, associated with Gootkit banking trojan and operated by Hive0127 (UNC2565), now includes tools for command-and-control activities and lateral movement dubbed GootBot.
GootLoader infects victims by masquerading as legitimate documents on compromised websites, using refined SEO poisoning to enhance its distribution.
Following infection, the malware establishes persistence through scheduled tasks and uses a series of encoded JavaScript and PowerShell scripts to gather system data and await further commands.
Attack methods have evolved to include embedding the malware within legitimate JavaScript libraries, like jQuery and Lodash, complicating detection and analysis.
Victims are typically enticed by manipulated search engine results directing them to download seemingly benign business documents, which contain the malicious payload.
The updated version maintains core functionalities similar to earlier iterations but has enhanced evasion techniques to stifle security analysis and detection efforts.