Malware News New GootLoader Malware Variant Evades Detection and Spreads Rapidly


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection.

"The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole Villadsen said. "This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads."
"Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file," the researchers said.

The archive file incorporates an obfuscated JavaScript file, which, upon execution, fetches another JavaScript file that's triggered via a scheduled task to achieve persistence.
In the second stage, JavaScript is engineered to run a PowerShell script for gathering system information and exfiltrating it to a remote server, which, in turn, responds with a PowerShell script that's run in an infinite loop and grants the threat actor to distribute various payloads.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.