HQ/EMEAFind out how we can help your business
The Gootloader malware has allegedly improved its capabilities by employing novel tactics to aid financially motivated hackers in distributing ransomware, stealing data, and other malicious purposes.
Malware operators have distributed this loader through compromised websites for at least four years. Moreover, it frequently targets victims using SEO poisoning and tricks them into visiting infected WordPress websites using SEO poisoning.
This method preys on individuals who seek legitimate resources, deceiving them into downloading an archive containing the malicious JavaScript file. The operators use a multi-staged tactic that primarily bypasses security detections for its infection process.
After processing the first JavaScript file from the downloaded archive, the threat actors deliver the second-stage payload to a victim’s device. This payload, saved with a misleading file extension such as .dat or .log, is then renamed to .js and run via a scheduled process to establish persistence. This sophisticated process uses padded file sizes to prevent detection.
Further investigation also revealed that the attackers generated a scheduled task to initiate the second stage.js file. The job acts as a type of persistence and a means of executing the second stage file for the first time.
The PowerShell script within GOOTLOADER malware is a feature for data exfiltration.
According to reports, the GOOTLOADER malware has a built-in PowerShell script dubbed ‘GOOTLOADER.POWERSHELL’. This script allows its operators to start a sophisticated data exfiltration process by gathering system information. Subsequently, this information is compressed, encoded, and sent to a C2 server.
In addition, the script’s obfuscation, which includes hard-coded bytes and padding techniques, makes it impossible to analyse without prior expertise. Researchers also noted that the script Base64 encodes the acquired data and compresses it with gzip before transmitting it to the command-and-control server. This tactic could allow attackers to conceal their activities from detection solutions successfully.
The infection process delivers the encoded data as an HTTP GET request, with unique identifiers for various types of SysInfo, such as environment variables, processes, and disk space.
These IDs allow threat actors to modify their data collection efforts, extracting only the information they require from each compromised system. Researchers warn that GOOTLOADER developers are constantly developing their capabilities to make this threat a more significant threat to security solutions. Therefore, organisations should make their cybersecurity protocols as potent as possible to avoid the impact of this threat.
