Home Cyber Security New GootLoader Malware Variant Evades Detection and Spreads Quickly

New GootLoader Malware Variant Evades Detection and Spreads Quickly

New GootLoader Malware Variant Evades Detection and Spreads Quickly


Nov 07, 2023NewsroomEndpoint Safety / Malware

GootLoader Malware

A brand new variant of the GootLoader malware referred to as GootBot has been discovered to facilitate lateral motion on compromised methods and evade detection.

“The GootLoader group’s introduction of their very own customized bot into the late phases of their assault chain is an try and keep away from detections when utilizing off-the-shelf instruments for C2 comparable to CobaltStrike or RDP,” IBM X-Power researchers Golo Mühr and Ole Villadsen mentioned.

“This new variant is a light-weight however efficient malware permitting attackers to quickly unfold all through the community and deploy additional payloads.”

GootLoader, because the title implies, is a malware able to downloading next-stage malware after luring potential victims utilizing SEO (Website positioning) poisoning techniques. It is linked to a menace actor tracked as Hive0127 (aka UNC2565).


Using GootBot factors to a tactical shift, with the implant downloaded as a payload after a Gootloader an infection in lieu of post-exploitation frameworks comparable to CobaltStrike.”

Described as an obfuscated PowerShell script, GootBot is designed to connect with a compromised WordPress website for command and management and obtain additional instructions.

Complicating issues additional is the usage of a singular hard-coded C2 server for every deposited GootBot pattern, making it tough to dam malicious site visitors.

GootLoader Malware

“At the moment noticed campaigns leverage Website positioning-poisoned searches for themes comparable to contracts, authorized varieties, or different business-related paperwork, directing victims to compromised websites designed to appear like authentic boards the place they’re tricked into downloading the preliminary payload as an archive file,” the researchers mentioned.

The archive file incorporates an obfuscated JavaScript file, which, upon execution, fetches one other JavaScript file that is triggered through a scheduled process to attain persistence.


Within the second stage, JavaScript is engineered to run a PowerShell script for gathering system data and exfiltrating it to a distant server, which, in flip, responds with a PowerShell script that is run in an infinite loop and grants the menace actor to distribute numerous payloads.

This contains GootBot, which beacons out to its C2 server each 60 seconds to fetch PowerShell duties for execution and transmit the outcomes of the execution again to the server within the type of HTTP POST requests.

A number of the different capabilities of GootBot vary from reconnaissance to finishing up lateral motion throughout the setting, successfully increasing the dimensions of the assault.

“The invention of the Gootbot variant highlights the lengths to which attackers will go to evade detection and function in stealth,” the researchers mentioned. “This shift in TTPs and tooling heightens the chance of profitable post-exploitation phases, comparable to GootLoader-linked ransomware affiliate exercise.”

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.


Supply hyperlink


Please enter your comment!
Please enter your name here