GootLoader Malware Still Active, Deploys New Versions for Enhanced Attacks

The malware acknowledged as GootLoader continues to be in energetic use by threat actors hunting to supply extra payloads to compromised hosts.

“Updates to the GootLoader payload have resulted in several versions of GootLoader, with GootLoader 3 at this time in energetic use,” cybersecurity agency Cybereason stated in an analysis revealed very last 7 days.

“When some of the particulars of GootLoader payloads have improved more than time, an infection techniques and total performance continue to be comparable to the malware’s resurgence in 2020.”

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

GootLoader, a malware loader section of the Gootkit banking trojan, is connected to a danger actor named Hive0127 (aka UNC2565). It abuses JavaScript to down load post-exploitation equipment and is distributed via research engine optimization (Seo) poisoning methods.

It commonly serves as a conduit for offering many payloads such as Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC.

In new months, the risk actors powering GootLoader have also unleashed their individual command-and-handle (C2) and lateral motion software dubbed GootBot, indicating that the “team is expanding their market place to achieve a broader viewers for their financial gains.”

Attack chains include compromising web-sites to host the GootLoader JavaScript payload by passing it off as legal files and agreements, which, when released, sets up persistence applying a scheduled endeavor and executes supplemental JavaScript to kick-start off a PowerShell script for amassing procedure facts and awaiting further more recommendations.

“Internet sites that host these archive files leverage Look for Motor Optimization (Search engine optimization) poisoning techniques to lure in victims that are seeking for enterprise-similar information these as agreement templates or legal files,” security scientists Ralph Villanueva, Kotaro Ogino, and Gal Romano reported.

The attacks are also noteworthy for earning use of source code encoding, management stream obfuscation, and payload measurement inflation in get to resist investigation and detection. Another method involves embedding the malware in legit JavaScript library files like jQuery, Lodash, Maplace.js, and tui-chart.

“GootLoader has acquired many updates for the duration of its existence cycle, together with changes to evasion and execution functionalities,” the researchers concluded.

Found this report fascinating? Adhere to us on Twitter  and LinkedIn to read through more distinctive articles we submit.