HQ/EMEAFind out how we can help your business
The GootLoader malware operators, UNC2565, update their toolset to improve their campaign. The new features that will enhance their malware are the further distribution of payloads after infection, upgraded stealth abilities, and the carrying of new components.
According to investigations, a new variant of this malware was seen by researchers in November last year. During that time, the actors used a new infection chain dubbed GOOTLOADER[.]POWERSHELL.
Once a user visits the website controlled by UNC2565, a compromised ZIP archive that contains a JavaScript file will be downloaded on the user’s device. Once the user launches the JS file, it could develop an inflated archive with a [.]LOG extension that includes several junk codes for obfuscation tactics.
Subsequently, the dropper produces a scheduled task to run the JavaScript file immediately and ensures that the file can establish persistence on the infected device after shutdown or reboot.
The malware manifests a PowerShell process, which gathers information from the device, such as OS versions, process details, and file names. These details will then go to the attacker-controlled command-and-control server in a Gzip compressed file.
The C2 server could respond with a payload that further compromised the device with further loads upon receiving all the information.
The obfuscation mechanics used by the threat group in their latest malware strain are more sophisticated than its previous versions since the malicious code with it is nested all over the file.
Furthermore, the malware includes additional string variables that the attackers utilise in the subsequent phases of deobfuscation. Finally, the malware could trojanise multiple JavaScript libraries, such as Underscore[.]js, Chroma[.]js, and jQuery.
Threat actors have been enforcing new features for their GootLoader malware.
The GootLoader malware operators are constantly making improvements to their payloads. This detail implies that they plan to make it their primary weapon for future attacks. Therefore, organisations should implement enterprise-grade security controls, such as engaging their personnel in a real-time threat intelligence exchange platform.
Lastly, organisations should invest in training their employees to equip them with proper knowledge and competence with basic cybersecurity pointers to mitigate the effects of different hackers or threat groups.
