skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition
GootLoader Malware Evolves into Initial Access Platform

GootLoader Malware Evolves into Initial Access Platform

/ 3 min read

Quick take - GootLoader, a malware linked to previous cybercriminal activities, has evolved into an initial access as a service platform that utilizes SEO poisoning to compromise victims’ systems and deploy further malicious payloads, prompting proactive threat hunting efforts by cybersecurity firms.

Fast Facts

  • GootLoader has evolved into an initial access as a service platform, utilizing SEO poisoning to lure victims into clicking on malicious links.
  • Once executed, GootLoader remains undetected and can deploy a second-stage payload, GootKit, which functions as a remote access Trojan (RAT).
  • A recent variant of GootLoader was identified, exploiting search queries related to Bengal cats in Australia to deliver a JavaScript-based malicious payload.
  • The operation involved creating a scheduled task to execute the second-stage payload, with dynamic analysis revealing the use of WScript.exe and PowerShell.exe.
  • Users are advised to be cautious with enticing search results and advertisements, while Sophos endpoint protection can block GootLoader through specific detections.

GootLoader: A New Threat Landscape

GootLoader, a malware initially associated with the cybercriminals behind the REVil ransomware and Gootkit banking trojan, has transformed into an initial access as a service platform. This platform employs search engine optimization (SEO) poisoning for its malicious activities, enticing victims to click on seemingly legitimate marketing links or search results, thereby compromising their systems.

Operation and Functionality

Once executed, GootLoader can remain undetected on a victim’s machine, allowing for the deployment of a second-stage payload known as GootKit. GootKit functions as a remote access Trojan (RAT), establishing a persistent presence within the victim’s network. It is capable of deploying ransomware or additional exploitation tools, such as Cobalt Strike.

A recent variant of GootLoader was identified, prompting a proactive threat hunting campaign by Sophos X-Ops Managed Detection and Response (MDR). This variant also employed SEO poisoning tactics, delivering a JavaScript-based package. Investigations into this campaign revealed that GootLoader operators exploited search queries related to Bengal cats in Australia to deliver their malicious payload.

Threat Analysis and Mitigation

During the threat hunting efforts, a .zip archive containing GootLoader’s initial payload was located and downloaded onto victims’ machines. Analysis of browser history from impacted users helped identify the malicious sites involved. The first-stage payload, once executed, initiated a JavaScript file that subsequently dropped a larger JavaScript file onto the victim’s system.

The operation involved creating a scheduled task named “Business Aviation,” designed to execute the second-stage payload using WScript.exe. Additionally, PowerShell.exe was observed being spawned during the execution of the malicious scripts. Although the third-stage payload, typically responsible for deploying further tools or ransomware, was not successfully executed in this instance, the threat posed by GootLoader remains significant.

Static analysis of the downloaded .zip file revealed a heavily obfuscated JavaScript file, which included boilerplate licensing comments to masquerade as legitimate. A Python script from Mandiant was employed to decode this obfuscation for further analysis. Dynamic analysis indicated that WScript.exe could create files without writing them to disk, while network analysis showed that the malicious JavaScript made requests to various domains, including Base64-encoded cookies containing device and host information.

Indicators of compromise (IOCs) related to GootLoader were classified by Sophos Labs, highlighting the broader trend of malware delivery-as-a-service operations that leverage SEO techniques. To mitigate risk, users are advised to exercise caution regarding search results and advertisements that seem too enticing or too good to be true. Sophos endpoint protection can block GootLoader through behavioral and malware-specific detections.

Original Source: Read the Full Article Here

Check out what's latest