GootLoader Malware

A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection.

"The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole Villadsen said.

"This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads."

GootLoader, as the name implies, is a malware capable of downloading next-stage malware after luring potential victims using search engine optimization (SEO) poisoning tactics. It's linked to a threat actor tracked as Hive0127 (aka UNC2565).


The use of GootBot points to a tactical shift, with the implant downloaded as a payload after a Gootloader infection in lieu of post-exploitation frameworks such as CobaltStrike.

Described as an obfuscated PowerShell script, GootBot is designed to connect to a compromised WordPress site for command and control and receive further commands.

Complicating matters further is the use of a unique hard-coded C2 server for each deposited GootBot sample, making it difficult to block malicious traffic.

GootLoader Malware

"Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file," the researchers said.

The archive file incorporates an obfuscated JavaScript file, which, upon execution, fetches another JavaScript file that's triggered via a scheduled task to achieve persistence.


In the second stage, JavaScript is engineered to run a PowerShell script for gathering system information and exfiltrating it to a remote server, which, in turn, responds with a PowerShell script that's run in an infinite loop and grants the threat actor to distribute various payloads.

This includes GootBot, which beacons out to its C2 server every 60 seconds to fetch PowerShell tasks for execution and transmit the results of the execution back to the server in the form of HTTP POST requests.

Some of the other capabilities of GootBot range from reconnaissance to carrying out lateral movement across the environment, effectively expanding the scale of the attack.

"The discovery of the Gootbot variant highlights the lengths to which attackers will go to evade detection and operate in stealth," the researchers said. "This shift in TTPs and tooling heightens the risk of successful post-exploitation stages, such as GootLoader-linked ransomware affiliate activity."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.