A malware loader or bootloader, also known as a boot program or bootstrap loader, is a special operating system software that loads into the working memory of a computer after start-up. For this purpose, immediately after a device starts, a bootloader is generally launched by a bootable medium like a hard drive, a CD/DVD or a USB stick. The boot medium receives information from the computer’s firmware (e.g. BIOS) about where the bootloader is. The whole process is also described as “booting”.
When you press the start button on a computer, the very first thing you see on the screen is information about the hardware installed. The software responsible for this notification is the device firmware mentioned above, which is usually implemented by manufacturers in flash memory on the computer’s motherboard. With most desktop PCs and notebooks this will be the BIOS (Basic Input/Output System) or the more modern UEFI (Unified Extensible Firmware Interface). Both applications collect the most diverse hardware data and create a complete list of all of the device’s available drives.
When this process is complete, the firmware goes through the data carriers found in sequence, checking for a bootloader by means of a special signature the so-called boot signature (or ‘boot record’). The search always starts on the removable media (CD/DVD, USB stick, external hard drive, etc.), followed by the hard-coded drives. With the latter, the bootloader and its signature is generally in the master boot record (MBR), which also contains the data carrier’s partition tables. When a bootloader is found, it is loaded and the system start is initiated. If the search is unsuccessful, the firmware will return an error message.
A new bootloader named "Gootloader" is using search engine optimization techniques to spread ransomware, Trojans and other malware, the security firm Sophos reports. The campaign is active in North America, South Korea, Germany and France, Sophos researchers say. To trick victims into visiting infected websites, "Gootloader uses malicious search engine optimization techniques to squirm into Google search results," Sophos notes. "These techniques are effective at evading detection over a network right up to the point where the malicious activity trips over behavioral detection rules."
When someone enters certain keywords into a Google search, they are shown the link to the malicious website. Once they visit the website, they are then prompted to download a zip file that installs Gootloader, which then loads REvil ransomware and the Gootkit and Kronos Trojans, the report notes. Sophos researchers say the Gootloader campaign uses a network of 400 compromised websites, including the site of a neonatal medical practice in Canada. "None of the site’s legitimate content has anything to do with real estate transactions it’s doctors deliver babies and yet it is the first result to appear in a query about a very narrowly defined type of real estate agreement," the report notes. "Google itself indicates the result is not an ad, and they have known about the site for nearly seven years. To the end user, the entire thing looks legitimate."
A malicious server checks if the loaded page meets Gootloader's criteria and then redraws the page to give the visitor the appearance that they are in a discussion forum. The forum then prompt the victims to download a .ZIP file, which, when executed, appends a JavaScript code and downloads the first-stage payload on the victims' devices. "This 'first stage' script is the only component of the attack written to the filesystem," Sophos notes. "Because it’s the only one exposed to conventional AV scanning methods, the author has obfuscated the script and added two layers of encryption to strings and data blobs related to the next stage of the attack."
Gootloader then downloads dotNET injector, which then loads the final payloads, such as REvil and Gootkit malware. Sophos says this new loader belongs to the Gootkit malware family, which has been active since 2011. Gootkit is a banking Trojan that is largely written in node.JS. The malware can record video to steal financial information from victims and load the REvil ransomware strain.
Other well-known bootloaders include:
- Bootmgr
- NT loader (NTLDR)
- Barebox
- efi
- BootX
- Grand Unified Bootloader (GRUB)
- ARM Core Bootloader
- OpenBIOS
In December 2020, security firm Malwarebytes uncovered a Gootkit campaign that used compromised websites to deliver payloads. Once the payloads were downloaded, the victims’ devices were infected with Gootkit.
Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com.
Reporting: https://www.redskyalliance.org/
Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
Comments