GootLoader is a malicious software that was created from GootKit, a banking trojan that first appeared in 2014. It has since been updated and given a new name to reflect its new purpose in 2021. The same group is responsible for both versions of the malware, and is monitored by Mandiant as UNC2565. This evolution of GootLoader is a reflection of the evolution of cybercriminal gangs, who are now using a malware-as-a-service business model. They develop the malware, but less-advanced gangs or individuals pay for use of that malware. GootLoader is mainly used to gain access to victims for ransomware purposes. The access is then sold to ransomware-as-a-service groups or individual criminals. Cybereason has done a deep dive into the latest version of GootLoader. The infection process begins with compromised WordPress sites, which are given greater validity through SEO poisoning techniques. The primary targets are healthcare and finance within English speaking countries, such as the US, the UK and Australia. If a victim visits the compromised site, they are provided with a ZIP file containing a malicious JavaScript. This JavaScript creates and runs a Customer Engineering scheduled task, which generates a second JavaScript file. This file is 40 MB in size and provides PowerShell code that executes a command and control function every 20 seconds. It also uses system discovery calls to obtain environment variables, processes, desktop items and disks on the victim machine. This data is compressed, encoded, and sent to the C2 disguised as a cookie. Lateral movement starts with disabling Microsoft Defender, and proceeds with Cobalt Strike loaded through DLL hijacking. Cybereason has assessed the GootLoader threat level as severe, as it uses a combination of evasion and living off the land techniques.
This Cyber News was published on www.securityweek.com. Publication date: Wed, 08 Feb 2023 13:34:03 +0000