GootBot: The Covert Chameleon of Malware World

A fresh iteration of the GootLoader malware, named GootBot, has surfaced, enabling lateral maneuvering within compromised systems while evading detection.

Researchers from IBM X-Force, Golo Mühr and Ole Villadsen, unveiled that the introduction of GootBot by the GootLoader group represents a calculated strategy to avoid detection, especially in the latter phases of their attacks when they employ readily available command-and-control tools like CobaltStrike or RDP.

GootBot, recognized for its nimbleness and efficiency, equips threat actors with the capability to swiftly traverse networks and deploy supplementary payloads. GootLoader, in keeping with its name, specializes in downloading subsequent-stage malware by alluring potential victims through the use of search engine optimization (SEO) poisoning tactics. This threat is attributed to a group known as Hive0127, also referred to as UNC2565.

The shift toward GootBot signifies a tactical alteration, with the implant now being downloaded as a payload after a GootLoader infection, departing from the reliance on post-exploitation frameworks like CobaltStrike.

GootBot is described as an obfuscated PowerShell script meticulously crafted to establish connections with compromised WordPress sites for command and control functionalities and to receive further instructions. Furthermore, each GootBot sample adds complexity by employing a unique hard-coded command-and-control (C2) server, rendering the blocking of malicious traffic a formidable challenge.

Current campaigns involving GootBot pivot on SEO-poisoned searches that revolve around themes such as contracts, legal forms, or other business-related documents. These search tactics lead victims to compromised websites designed to emulate legitimate forums, where they are duped into downloading the initial payload concealed within an archive file.

This archive file encompasses an obfuscated JavaScript script, which, upon execution, fetches another JavaScript file scheduled for ensuring persistence. In the subsequent phase, the JavaScript is tailored to execute a PowerShell script for gathering system data and transmitting it to a remote server. In return, the server responds with a PowerShell script that operates in a continuous loop, endowing the threat actor with the means to distribute diverse payloads.

Among its multifaceted capabilities, GootBot excels in reconnaissance and facilitates lateral movement within the environment, thereby broadening the scale of the attack.

The discovery of the GootBot variant underscores the extent to which attackers are willing to go to maintain their concealment and execute covert operations. This shift in tactics, techniques, and tools heightens the risk of successful post-exploitation stages, particularly those associated with GootLoader-linked ransomware activities, as noted by the researchers.

Happy Hunting!

— threathuntress