GootBot Malware

Cybersecurity experts have identified a novel malware strain known as GootBot, which exhibits the ability to facilitate lateral movement within compromised systems while eluding detection. A detailed analysis of this threat indicates that it is ostensibly a new iteration derived from the previously discovered GootLoader malware.

Significantly, the GootLoader group has strategically introduced this custom bot into the later stages of their attack workflow in an effort to circumvent detection mechanisms, especially when employing readily available Command-and-Control (C2) tools like CobaltStrike or RDP. This newly emergent variant is characterized by its lightweight nature but noteworthy efficacy, enabling malicious actors to propagate through networks and deploy additional payloads swiftly.

GootLoader, as its name suggests, specializes in downloading subsequent-stage malware after enticing potential victims through search engine optimization (SEO) poisoning tactics. This malware strain has been associated with a threat actor known as Hive0127, also identified as UNC2565 in the cybersecurity community.

The GootBot Malware Attacks May Involve Poisoned Search Results

The discovered GootBot campaigns have adopted a new strategy involving SEO-poisoned search results related to topics like contracts, legal forms, and other business-related documents. These manipulated search results lead unsuspecting victims to compromised websites that have been ingeniously designed to resemble legitimate forums. Here, victims are deceived into downloading an initial payload cleverly concealed within an archive file. This archive file contains a concealed JavaScript file that, when activated, retrieves another JavaScript file. This second file is executed through a scheduled task, ensuring its persistence within the compromised system.

The utilization of GootBot signifies a notable shift in tactics. Instead of relying on post-exploitation frameworks like CobaltStrike, GootBot is employed as a payload following a GootLoader infection.

GootBot is described as an obfuscated PowerShell script with the primary function of connecting to a compromised WordPress site for command and control purposes. It is through this connection that GootBot receives further instructions, adding complexity to the situation. Notably, each deposited GootBot sample employs a distinct, hard-coded Command-and-Control (C2) server, rendering it challenging to block malicious network traffic effectively.

The GootBot Malware Can Perform Various Invasive Functions on Infected Devices

During the second stage of the attack chain, a JavaScript component executes a PowerShell script with the purpose of collecting system information and transmitting it to a remote server. In response, the remote server sends a PowerShell script that runs in a constant loop, providing the threat actor with the ability to distribute various payloads.

One of these payloads is GootBot, which maintains regular communication with its Command-and-Control (C2) server, reaching out every 60 seconds to receive PowerShell tasks for execution and transmitting the results via HTTP POST requests.

GootBot boasts a range of capabilities, from conducting reconnaissance to enabling lateral movement within the environment, effectively expanding the scope of the attack.

The emergence of this GootBot variant underscores the extensive measures that threat actors are willing to take to elude detection and operate covertly. This shift in tactics, techniques, and tooling significantly elevates the risk associated with successful post-exploitation stages, particularly those related to GootLoader-associated ransomware affiliate activities.