Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,177
- Points
- 113
Malicious software called GootLoader is actively used by attackers to deliver additional malware to compromised devices.
As Cybereason reports in its recent analysis, GootLoader updates have led to several variations of the malware at once, and GootLoader 3 is currently actively used. Despite changes in details, the infection strategies and overall functionality of the malware remain similar to the beginning of its activity in 2020.
GootLoader itself is a malware downloader and is part of the Gootkit banking Trojan. It is closely related to the Hive0127 grouping (also known as UNC2565). This software uses JavaScript to load post-exploitation tools and is distributed using the method of" poisoning the search results " (SEO Poisoning).
GootLoader is often used to deliver various malicious programs, such as Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC. In recent months, the attackers behind GootLoader have also released their own command-and-control and lateral movement tool called GootBot, indicating that they are expanding their activities for greater financial gain.
Attack chains involve compromising websites to host malicious GootLoader JavaScript code under the guise of legal documents and agreements. When running such files in Windows, a scheduled task is created to maintain the persistence of infection, and an additional PowerShell script is executed that collects information about the system and waits for further instructions.
Cybereason security researchers note that malicious sites that store archived files used for infection use SEO techniques to attract victims looking for business files, such as contract templates or legal documents.
The attacks are also notable for using source code encoding techniques, control flow obfuscation, and increasing payload size to counter analysis and detection. Another interesting technique is to embed malware in legitimate JavaScript library files, such as jQuery, Lodash, and Maplace.js and tui-chart.
Researchers say that with the latest updates, GootLoader has become more secretive and evasive, which means it is now much more dangerous than it was before. To protect against such cyber threats, it is critically important to regularly update the software, use reliable antivirus solutions, and exercise caution when opening files from unverified sources.
• Source: https://www.cybereason.com/blog/i-am-goot-loader
As Cybereason reports in its recent analysis, GootLoader updates have led to several variations of the malware at once, and GootLoader 3 is currently actively used. Despite changes in details, the infection strategies and overall functionality of the malware remain similar to the beginning of its activity in 2020.
GootLoader itself is a malware downloader and is part of the Gootkit banking Trojan. It is closely related to the Hive0127 grouping (also known as UNC2565). This software uses JavaScript to load post-exploitation tools and is distributed using the method of" poisoning the search results " (SEO Poisoning).
GootLoader is often used to deliver various malicious programs, such as Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC. In recent months, the attackers behind GootLoader have also released their own command-and-control and lateral movement tool called GootBot, indicating that they are expanding their activities for greater financial gain.
Attack chains involve compromising websites to host malicious GootLoader JavaScript code under the guise of legal documents and agreements. When running such files in Windows, a scheduled task is created to maintain the persistence of infection, and an additional PowerShell script is executed that collects information about the system and waits for further instructions.
Cybereason security researchers note that malicious sites that store archived files used for infection use SEO techniques to attract victims looking for business files, such as contract templates or legal documents.
The attacks are also notable for using source code encoding techniques, control flow obfuscation, and increasing payload size to counter analysis and detection. Another interesting technique is to embed malware in legitimate JavaScript library files, such as jQuery, Lodash, and Maplace.js and tui-chart.
Researchers say that with the latest updates, GootLoader has become more secretive and evasive, which means it is now much more dangerous than it was before. To protect against such cyber threats, it is critically important to regularly update the software, use reliable antivirus solutions, and exercise caution when opening files from unverified sources.
• Source: https://www.cybereason.com/blog/i-am-goot-loader
