A newly discovered variant of the Gootloader malware includes capabilities that make it easier for threat actors to perform lateral movement, and makes it more difficult for enterprise organizations to detect and block campaigns, warn researchers.
The Gootloader malware, which was listed as a top malware strain in 2021 by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), was previously only used as an initial access vector for threat actors to load second-stage tools and malware like Cobalt Strike, IcedID or SystemBC onto targeted businesses’ environments.
Researchers with IBM X-Force on Monday said that they have recently observed the new Gootloader variant being used for lateral movement, however, marking a significant change in the malware’s post-infection tactics. Gootloader’s new capability comes in the form of a tool that researchers call GootBot, which is downloaded after the initial infection and has the ability to receive command and control (C2) tasks via encrypted PowerShell scripts.
“The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP,” said Golo Mühr and Ole Villadsen with IBM X-Force in the Monday analysis. “This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads.”
Researchers detected the new variant in campaigns that used SEO poisoning attacks - designed to take advantage of search engine algorithms to promote malicious sites - with keywords related to contracts, legal forms and business-related documents. Victims would be directed to legitimate-looking but compromised websites, where they would then be tricked into downloading the initial payload.
“As Gootloader frequently serves as an initial access provider, awareness of these evolving TTPs and tools is important to mitigate the risk of impactful post-exploitation activity."
The new variant is also more difficult to block, because after infection the malware deploys large amounts of GootBot implants throughout the corporate environment, and each has a different hardcoded C2 server.
“GootBot implants, each of which contains a different C2 server running on a hacked WordPress site, spread throughout infected enterprise domains in large numbers in hopes of reaching a domain controller,” said Mühr and Villadsen. “At the time of writing, GootBot has no detections listed on VirusTotal. This shift in TTPs and tooling heightens the risk of successful post-exploitation stages, such as Gootloader-linked ransomware affiliate activity.”
The use of techniques like SEO poisoning and compromised WordPress websites is not new for the group behind Gootloader, which is tracked by various researchers as UNC2565 or Hive0127. The group has been active since 2014, but previously in 2022 it began to incorporate new tactics into its operations, including the distribution of new follow-on payloads in attacks, according to Mandiant researchers in an analysis earlier this year.
The group is known to target a variety of industry verticals and geographic locations, and typically served as an initial access provider, with successful infections sometimes leading to ransomware.
The evolution of this malware to become more effective at detection evasion and stealth, coupled with the potential for ransomware involvement, is concerning for enterprises. Researchers recommend that security teams ensure that script block logging is enabled within the enterprise environment and that they keep tabs on relevant Windows event logs, scheduled tasks and network traffic for signs of compromise.
“As Gootloader frequently serves as an initial access provider, awareness of these evolving TTPs and tools is important to mitigate the risk of impactful post-exploitation activity,” said researchers.