GootBot Malware Spreads at Alarming Pace

A recently discovered variant of the GootLoader malware, known as GootBot, has been identified as a tool that enables unauthorized movement within compromised systems and manages to avoid detection. Researchers from IBM X-Force, Golo Mühr and Ole Villadsen, noted that the GootLoader group has introduced this custom bot at a late stage of their attack process in an effort to avoid detection when using commonly available command and control (C2) tools like CobaltStrike or RDP.

This new iteration of the malware is both lightweight and efficient, enabling attackers to swiftly infiltrate a network and introduce additional malicious payloads. GootLoader, as the name suggests, is a malware that specializes in downloading subsequent-stage malware after attracting potential victims through search engine optimization (SEO) poisoning techniques. It has been linked to a threat actor identified as Hive0127 (also known as UNC2565).

The deployment of GootBot signifies a change in strategy, with the implant being delivered as a payload following a GootLoader infection instead of relying on post-exploitation frameworks like CobaltStrike. GootBot is described as an obscured PowerShell script designed to connect to a compromised WordPress site for command and control and to receive further instructions.

GootBot Uses Clever Tricks

Further complicating the situation is the use of a distinct hard-coded C2 server for each GootBot instance, making it challenging to block malicious network traffic. Current campaigns have been observed using SEO-poisoned search results related to themes like contracts, legal documents, or other business-related content, directing victims to compromised websites that appear to be legitimate forums. There, they are deceived into downloading the initial payload in the form of an archive file. This archive file contains an obscured JavaScript file that, upon execution, retrieves another JavaScript file, scheduled to run as a persistence mechanism.

In the second stage, the JavaScript is configured to execute a PowerShell script that gathers system information and sends it to a remote server. In return, the server responds with a PowerShell script that operates in an infinite loop, enabling the threat actor to distribute various payloads. This includes GootBot, which periodically communicates with its C2 server every 60 seconds to retrieve and execute PowerShell tasks and send the results back to the server through HTTP POST requests.

GootBot boasts a range of capabilities, from reconnaissance to lateral movement within the compromised environment, significantly amplifying the scope of the attack.