The malware known as GootLoader remains actively used by threat actors to deliver additional payloads to compromised hosts.
“Recent updates to the GootLoader payload have resulted in multiple versions, with GootLoader 3 currently in active use,” cybersecurity firm Cybereason stated in an analysis published last week.
“While some details of GootLoader payloads have evolved, its infection strategies and overall functionality have remained consistent since the malware’s resurgence in 2020.”
GootLoader, a malware loader part of the Gootkit banking trojan, is associated with a threat actor known as Hive0127 (aka UNC2565). It exploits JavaScript to download post-exploitation tools and is spread through search engine optimization (SEO) poisoning tactics.
It typically acts as a conduit for delivering various payloads, including Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC
Recently, the threat actors behind GootLoader have also deployed their own command-and-control (C2) and lateral movement tool, named GootBot, suggesting that the group is expanding their operations to attract a broader audience for financial gains.
Attack chains involve compromising websites to host the GootLoader JavaScript payload, disguised as legal documents and agreements. When executed, this payload sets up persistence using a scheduled task and runs additional JavaScript to initiate a PowerShell script that collects system information and awaits further instructions.
“Sites hosting these archive files utilize SEO poisoning techniques to lure victims searching for business-related files such as contract templates or legal documents,” security researchers Ralph Villanueva, Kotaro Ogino, and Gal Romano explained.
The attacks are also notable for employing techniques like source code encoding, control flow obfuscation, and payload size inflation to resist analysis and detection. Another method involves embedding the malware in legitimate JavaScript library files like jQuery, Lodash, Maplace.js, and tui-chart.
“GootLoader has undergone several updates during its lifecycle, including changes to its evasion and execution functionalities,” the researchers concluded.
![Pinterest](https://pinterest.com/pin/create/button/?url=https://www.cxodigitalpulse.com/gootloader-malware-still-active-deploys-new-versions-for-enhanced-attacks/&media=https://www.cxodigitalpulse.com/wp-content/uploads/2024/07/feature-39.jpg&description=The malware known as GootLoader remains actively used by threat actors to deliver additional payloads to compromised hosts."Recent updates to the GootLoader payload have resulted in multiple versions, with GootLoader 3 currently in active use," cybersecurity firm Cybereason stated in an analysis published last week.){kind=link}