Pierluigi Paganini July 06, 2024

Researchers warn that the malware GootLoader is still active and threat actors are still using it in their campaigns.

Threat actors continue to use GootLoader malware in their campaigns, Cybereason researchers warn. The malware has evolved, resulting in several versions, with GootLoader 3 currently in use. Despite updates to the payload, the infection strategies and overall functionality have remained largely consistent since the malware’s resurgence in 2020.

GootLoader runs on an access-a-as-a-service model, it is used by different groups to drop additional malicious payloads on the compromised systems. GootLoader has been known to use fileless techniques to deliver threats such as the SunCrypt, and REvil (Sodinokibi) ransomware, Kronos trojans, and Cobalt Strike. In the past, GootLoader distributed malware masquerading as freeware installers and it used legal documents to trick users into downloading these files. 

GootLoader is a part of the GootKit malware family, which has been active since 2014. Mandiant tracked the threat actors behind GootKit as UNC2565.

The attack chain starts with a user searching for specific information in a search engine. Attackers use the black SEO technique to display a website compromised by GootLoader operators among the results.

Upon visiting the website, the victim will notice that it is presented as an online forum directly answering his query. This forum hosted a ZIP archive that contains the malicious .js file, which is used to establish persistence and drop a Cobalt Strike binary in the memory of the infected system.

The researchers reported that the first-stage GootLoader payload is large and heavily obfuscated, often exceeding 3.5MB. The malicious code executes via the Windows Script Host process (wscript), dropping on the disk a second-stage payload, which is also an obfuscated JavaScript file. The first-stage payload then registers a scheduled task to run the second-stage payload, which is executed immediately after the first stage ends.

The second-stage starts execution with script, then it shifts to a cscript process. The cscript instance spawns PowerShell, which deobfuscates and executes a script that begins discovery activities and communicates with the C2 server.

The stage 3 is the final payload, it is a PowerShell script that performs Discovery/Reconnaissance activity and communicates with C2 to download target malware.

“Depending on the version, the usage of the Stage 3’s PowerShell may differ.” concludes the report. “GootLoader 1.0 and 2.0 both utilize PowerShell to reflectively load and execute the .NET based DLL malware as part of post-exploitation. However, GootLoader 3.0 utilizes PowerShell to do both discovery work as well as C2 communication for backdoor command execution, with the executed commands responsible for post-exploitation activity such as downloading additional malware.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, malware)