A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection. GootLoader is a stealthy malware classified as a first-stage downloader designed to attack Windows-based systems. It is considered an Initial-Access-as-a-Service (IAaaS) tool used within a ransomware-as-a-service (RaaS) criminal business model. The GootLoader group's introduction of their custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2, such as CobaltStrike or RDP.[1]
Cobalt Strike is a powerful tool used to replicate the tactics and techniques of long-term embedded attackers in red teaming engagements and adversary simulations. Known for its signature payload, Beacon, and highly flexible C2 framework, Cobalt Strike is ideal for performing post-exploitation tasks. It can be easily modified with custom scripts, adjustable attack kits, and user-created extensions.
This new variant is a lightweight but practical malware, allowing attackers to spread throughout the network and deploy further payloads rapidly. GootLoader, as the name implies, can download next-stage malware after luring potential victims using search engine optimization (SEO) poisoning tactics. It's linked to a threat actor called Hive0127 (aka UNC2565).
The use of GootBot points to a tactical shift, with the implant downloaded as a payload after a Gootloader infection in place of post-exploitation frameworks such as CobaltStrike. Described as an obfuscated PowerShell script, GootBot is designed to connect to a compromised WordPress site for command and control and receive further commands. Complicating matters further is the use of a unique hard-coded C2 server for each deposited GootBot sample, making it challenging to block malicious traffic.
Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file. The archive file incorporates an obfuscated JavaScript file, which, upon execution, fetches another JavaScript file that's triggered via a scheduled task to achieve persistence.
In the second stage, JavaScript is engineered to run a PowerShell script for gathering system information and exfiltrating it to a remote server, which, in turn, responds with a PowerShell script that's run in an infinite loop and grants the threat actor to distribute various payloads.
This includes GootBot, which beacons out to its C2 server every 60 seconds to fetch PowerShell tasks for execution and transmit the results of the execution back to the server in the form of HTTP POST requests. Some of the other capabilities of GootBot range from reconnaissance to carrying out lateral movement across the environment, effectively expanding the scale of the attack.
The discovery of the Gootbot variant highlights the lengths to which attackers will go to evade detection and operate in stealth. This shift in TTPs and tooling heightens the risk of successful post-exploitation stages, such as GootLoader-linked ransomware affiliate activity.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, a demo or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://thehackernews.com/2023/11/new-gootloader-malware-variant-evades.html
Comments