Cybereason’s Threat Alerts describe a GootLoader campaign that uses SEO poisoning and water-hole techniques to deliver large, obfuscated payloads, followed by post-exploitation activity with Cobalt Strike and SystemBC. The operation targets English-speaking countries and sectors like healthcare and finance, and is rated SEVERE by Cybereason. #GootLoader #SEOpoisoning #CobaltStrike #SystemBC #WordPress #UNC2565
Keypoints
- GootLoader delivers unusually large payloads (40MB+) while masquerading as legitimate JavaScript to evade defenses.
- Threat actors are described as aggressive, achieving control and privilege escalation within about 4 hours.
- Post-infection frameworks (Cobalt Strike and SystemBC) are deployed for data exfiltration and lateral movement.
- SEO poisoning and fraudulent websites (including Google Ads) are used to drive victims to download malware.
- Cybereason Defense Platform detects these infections and post-exploitation activities; the threat is deemed SEVERE.
- Targets include English-speaking countries (US, UK, Australia) and sectors such as healthcare and finance.
MITRE Techniques
- [T1189] Drive-by Compromise – Hosting of the infection payload on a compromised WordPress website, acting as a water hole and leveraging SEO poisoning techniques to lure victims into downloading the malicious payloads. ” Hosting of the infection payload on a compromised WordPress website, acting as a water hole and leveraging SEO poisoning techniques to lure victims into downloading the malicious payloads “
- [T1027] Obfuscated/Compressed Files and Information – Heavily-obfuscated JavaScript files with large file sizes (over 40 Megabytes). ” heavily-obfuscated JavaScript files with large file sizes (over 40 Megabytes) “
- [T1574.001] DLL Search Order Hijacking – Cobalt Strike deployment leveraged DLL Hijacking on top of a VLC MediaPlayer executable. ” DLL Hijacking “
- [T1090] Proxy – SystemBC as a proxy malware leveraging SOCKS5 during the exfiltration phase. ” SOCKS5 “
- [T1071.001] Web Protocols – GootLoader leveraged compromised WordPress websites to use as C2 servers. ” compromised WordPress websites to use as C2 servers “
- [T1021] Remote Services – Post-infection activities deployed Cobalt Strike and SystemBC during lateral movement. ” hands-on keyboard activities which led to further deployment of attack frameworks, Cobalt Strike and SystemBC. “
Indicators of Compromise
- [URL] Delivery and C2 infrastructure – https://transfer[.]sh/get/7i8rkw/Rufus_Pro_signed.exe, https://ruflus[.]xyz
- [File name] Payloads observed or referenced – Rufus_Pro_signed.exe, Lumma Stealer
- [Path] WordPress-related C2 activity path – /xmlrpc.php (noted in VirusTotal relations)