GootLoader Malware Evolves, Still Wreaking Havoc via SEO Poisoning

Malicious software known as GootLoader is actively employed by cybercriminals to deliver additional malware onto compromised devices.

According to a recent analysis by Cybereason, updates to GootLoader have led to the emergence of several variants, with GootLoader 3 currently being the most active. Despite changes in specifics, the infection strategy and overall functionality of the malware remain similar to its initial deployment in 2020.

GootLoader itself is a malware loader and a component of the Gootkit banking trojan. It is closely associated with the Hive0127 group (also known as UNC2565). This software utilizes JavaScript to load post-exploitation tools and is propagated through the method of SEO poisoning.

GootLoader is often used to deliver a variety of malicious programs, such as Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC. A few months ago, the criminals behind GootLoader also released their own command-and-control and lateral movement tool called GootBot, indicating an expansion of their activities for greater financial gain.

Attack chains include compromising websites to host malicious GootLoader JavaScript code disguised as legitimate documents and agreements. When such files are executed in Windows, a scheduled task is created to maintain persistence, and an additional PowerShell script is executed to gather system information and await further instructions.

Security researchers from Cybereason note that malicious sites hosting the archive files used for infection employ SEO techniques to attract victims searching for business files, such as contract templates or legal documents.

The attacks are also notable for their use of source code encoding methods, control flow obfuscation, and increased payload size to counter analysis and detection. Another intriguing technique is embedding the malware within legitimate JavaScript library files, such as jQuery, Lodash, Maplace.js, and tui-chart.

Researchers assert that with the latest updates, GootLoader has become more stealthy and evasive, presenting a significantly greater threat than before. To protect against such cyber threats, it is critically important to regularly update software, use reliable antivirus solutions, and exercise caution when opening files from unverified sources.