GootLoader Malware Continues to Evolve with New Threats

The GootLoader malware is still actively used by cybercriminals to deliver various malicious payloads to compromised systems.

“Recent updates have led to several versions of GootLoader, with GootLoader 3 currently being the most active,” stated cybersecurity firm in their analysis published last week.

“Although the specifics of the GootLoader payloads have evolved, the infection methods and core functionality have remained consistent since the malware’s resurgence in 2020.”

GootLoader, a component of the Gootkit banking trojan, is associated with the threat actor Hive0127 (also known as UNC2565). It exploits JavaScript to download post-exploitation tools and is disseminated using search engine optimization (SEO) poisoning techniques.

Typically, GootLoader serves as a medium to deploy various payloads like Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC.

In recent times, the threat actors behind GootLoader have introduced their own command-and-control (C2) and lateral movement tool named GootBot, suggesting an expansion of their operations to increase their financial gains.

The attack process involves compromising websites to host the GootLoader JavaScript payload, disguised as legitimate documents and agreements. When these files are opened, they establish persistence via a scheduled task and execute additional JavaScript to initiate a PowerShell script that gathers system information and awaits further commands.

“Websites hosting these archive files use SEO poisoning tactics to attract victims searching for business-related documents like contract templates or legal agreements,” explained security researchers.

These attacks are also notable for employing source code encoding, control flow obfuscation, and payload size inflation to evade analysis and detection. Another method includes embedding the malware in legitimate JavaScript library files such as jQuery, Lodash, Maplace.js, and tui-chart.

“GootLoader has undergone several updates throughout its lifecycle, incorporating changes to its evasion and execution capabilities,” the researchers concluded.

To mitigate the risk, organizations should implement robust security measures such as regularly updating software and systems to patch vulnerabilities, deploying advanced email filtering to block phishing attempts, and utilizing comprehensive endpoint protection solutions.

Regular security audits and continuous monitoring for unusual network activities are essential to detect and respond to threats promptly.