Malware News New GootLoader Malware Variant Evades Detection and Spreads Rapidly

[silversurfer]

Content source

https://thehackernews.com/2023/11/new-gootloader-malware-variant-evades.html

A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection.

"The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole Villadsen said. "This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads."

"Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file," the researchers said.

The archive file incorporates an obfuscated JavaScript file, which, upon execution, fetches another JavaScript file that's triggered via a scheduled task to achieve persistence.
In the second stage, JavaScript is engineered to run a PowerShell script for gathering system information and exfiltrating it to a remote server, which, in turn, responds with a PowerShell script that's run in an infinite loop and grants the threat actor to distribute various payloads.