HQ/EMEAFind out how we can help your business
The newest iteration of the GootLoader malware, GootBot, has recently emerged in the threat landscape.
Based on reports, it provides its operators with lateral movement within a compromised system while effectively avoiding security detection. The GootLoader group has introduced GootBot in the latter stages of their attack process, aiming to bypass detection while employing standard command-and-control tools such as CobaltStrike or RDP.
The GootLoader operators commonly employ search engine optimisation (SEO) manipulation tactics to lure potential victims. Moreover, researchers believe that this malware operation has connections with a threat actor called Hive0127.
The GootBot campaign is a new tactic leveraged by the GootLoader operation.
The GootBot malware is an implant that launches on infected devices following a GootLoader infection instead of post-exploitation frameworks like CobaltStrike.
In addition, the researchers described GootBot as an obfuscated PowerShell script that could establish a connection with a compromised WordPress site for C2 purposes, as well as to receive further instructions.
Each GootBot sample employs a unique, hard-coded C2 server, making it challenging to block malicious traffic. Ongoing campaigns utilise SEO-poisoned searches related to contracts, legal forms, and business documents.
These searches redirect victims to compromised sites that pose as legitimate forums, where they unknowingly download an initial payload as an archive file.
The archive file contains a malicious JavaScript script that, when executed, retrieves another JavaScript file activated through a scheduled task to establish persistence. In the second stage, the JavaScript script could run a PowerShell script that harvests system information and exfiltrate them to an attacker-controlled server. In response, the server sends a PowerShell script that runs indefinitely, allowing the threat actor to launch various payloads.
Lastly, GootBot will maintain contact with its C2 server, sending HTTP POST requests every 60 seconds to obtain PowerShell tasks for execution and transmit the results back to the server. The malware’s capabilities extend from reconnaissance to facilitating lateral movement within the infected environment, effectively increasing the scope of the attack.
The discovery of the GootBot variant shows the extent to which attackers are willing to do so to evade detection and operate secretly. This change of tactics and tools could increase the success rate of the GootLoader post-exploitation operations.
