The Gootloader Group [1] [2] [3] [4], also known as Hive0127 or UNC2565 [4], has developed a new variant called GootBot [4]. This malware is distributed through SEO-poisoned searches for business documents and tricks victims into downloading the initial payload from compromised sites [4].
Description
GootBot is a lightweight but effective malware that facilitates stealthy lateral movement within enterprise environments [3]. It is designed to avoid detection by using its own custom bot instead of off-the-shelf tools like CobaltStrike or RDP [3]. GootBot implants are then spread throughout corporate environments [3] [4], with each containing a different command-and-control (C2) server [4], making it difficult to block [3] [4]. After a Gootloader infection [3], GootBot is downloaded as a payload and can receive encrypted PowerShell scripts as command-and-control (C2) tasks [3]. GootBot implants have no detections on VirusTotal [1] [2] [3], making it difficult to detect and block [3].
This shift in tactics and tooling by the Gootloader Group increases the risk of successful post-exploitation stages, such as ransomware attacks [2] [4]. Gootloader has been active since 2014 and relies on SEO poisoning and compromised WordPress sites to deliver its malware [4]. Currently, GootBot implants are being disseminated through corporate environments [3] [4], and successful infections have been known to lead to ransomware attacks [3] [4], with other threat actors using Gootloader as an initial access provider [4].
Conclusion
The Gootloader Group [1] [2] [3] [4], previously known as an initial access broker (IAB) and malware operator [1] [2], has released a new post-compromise malware called GootBot [1] [2]. This shift in tactics and tooling increases the risk of successful post-exploitation stages [1] [2], including ransomware attacks [1] [2] [4]. It is concerning that GootBot implants have no detections on VirusTotal, making it difficult to detect and block [3]. Organizations should be aware of the potential impact of GootBot and take necessary measures to mitigate the risk. Additionally, the emergence of GootBot highlights the evolving nature of cyber threats and the need for continuous monitoring and adaptation of security measures.
References
[1] https://alinaa-cybersecurity.com/gootloader-aims-malicious-custom-bot-army-at-enterprise-networks/
[2] https://www.darkreading.com/attacks-breaches/gootloader-malicious-custom-bot-army-enterprise-networks
[3] https://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/
[4] https://www.scmagazine.com/news/new-gootbot-strain-of-gootloader-malware-stokes-ransomware-fears
