Recent analysis from Cybereason reveals that harmful software known as Gootloader is currently being used by attackers to distribute additional malware to compromised devices. The latest updates on Gootloader have resulted in the emergence of several malicious variations, with Gootloader 3.0 being actively utilized.
Gootloader, which is a malware bootloader linked to the Gootkit banking Trojan, is associated with the HIVE0127 group (UnC2565). This malware employs JavaScript to download operation tools and spreads through the tactic of “SEO Poisoning.”
Attackers often leverage Gootloader to deliver various malicious programs including Cobalt Strike, IceDid, Kronos, Revil, and Systembc. Additionally, the perpetrators behind Gootloader have introduced a new command control tool named Gootbot in recent months, indicating an expansion of their malicious activities for financial gain.
The attack chains involving Gootloader typically start with compromising websites to inject malicious JavaScript code disguised as legal documents. When these files are opened, Windows generates a scheduled task to ensure persistent infection and runs an additional PowerShell script to gather system information and await further commands.
Security researchers at Cybereason have observed that malicious websites hosting infected files use SEO techniques to lure victims seeking business documents like contract templates. The attackers also employ code obfuscation, control flow obstructions, and payload size enlargement to evade detection and analysis.
The researchers highlight that Gootloader has become more secretive and evasive in its latest iterations, posing a greater threat than before. To mitigate such cyber threats, it is crucial to regularly update software, utilize reliable antivirus solutions, and exercise caution when opening files from untrusted sources.