The malware known as GootLoader continues to be in active use by threat actors looking to deliver additional payloads to compromised hosts.
"Updates to the GootLoader payload have resulted in several versions of GootLoader, with GootLoader 3 currently in active use," cybersecurity firm Cybereason said in an analysis published last week.
"While some of the particulars of GootLoader payloads have changed over time, infection strategies and overall functionality remain similar to the malware's resurgence in 2020."
GootLoader, a malware loader part of the Gootkit banking trojan, is linked to a threat actor named Hive0127 (aka UNC2565). It abuses JavaScript to download post-exploitation tools and is distributed via search engine optimization (SEO) poisoning tactics.
It typically serves as a conduit for delivering various payloads such as Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC.
In recent months, the threat actors behind GootLoader have also unleashed their own command-and-control (C2) and lateral movement tool dubbed GootBot, indicating that the "group is expanding their market to gain a wider audience for their financial gains."
Attack chains involve compromising websites to host the GootLoader JavaScript payload by passing it off as legal documents and agreements, which, when launched, sets up persistence using a scheduled task and executes additional JavaScript to kick-start a PowerShell script for collecting system information and awaiting further instructions.
"Sites that host these archive files leverage Search Engine Optimization (SEO) poisoning techniques to lure in victims that are searching for business-related files such as contract templates or legal documents," security researchers Ralph Villanueva, Kotaro Ogino, and Gal Romano said.
The attacks are also notable for making use of source code encoding, control flow obfuscation, and payload size inflation in order to resist analysis and detection. Another technique entails embedding the malware in legitimate JavaScript library files like jQuery, Lodash, Maplace.js, and tui-chart.
"GootLoader has received several updates during its life cycle, including changes to evasion and execution functionalities," the researchers concluded.
Update
Palo Alto Networks Unit 42 has demonstrated how to use Visual Studio Code's Node.js debugging to get around GootLoader malware's anti-analysis tactics and analyze the JavaScript artifacts on a Windows host.
"The creators of GootLoader employed time-consuming while loops with arrays of functions to deliberately delay the execution of malicious code," researchers Riley Porter and Mark Lim said. "This method effectively implements an evasion technique, inducing sleep periods to obfuscate the malicious nature of GootLoader."