New Gootloader Variant “GootBot” Changes the Game in Malware Tactics – SOCRadar® Cyber Intelligence Inc.

MITRE Techniques

• [T1189] Drive-by Compromise – The campaigns employ SEO poisoning to lure victims to compromised websites where they unwittingly download the initial payload. ‘campaigns employing SEO poisoning attacks… luring victims to seemingly legitimate websites where they unwittingly download the initial payload.’
• [T1027] Obfuscated/Compressed Files and Information – The initial infection involves a heavily obfuscated JavaScript file in an infected archive. ‘a heavily obfuscated JavaScript file, which is Gootloader’s first stage.’
• [T1053.005] Scheduled Task – Infections trigger a scheduled task for execution and persistence. ‘triggers a scheduled task for execution and persistence.’
• [T1059.001] PowerShell – Multiple stages involve PowerShell scripts, including the third stage that runs PowerShell payloads. ‘the third stage, which collects system information and uploads it to one of its 10 hardcoded C2 servers’ and ‘PowerShell script’ and ‘Start-Job’ usage.
• [T1071.001] Web Protocols – C2 communication occurs via HTTP GET requests to retrieve PowerShell tasks. ‘GootBot sends a GET request to its C2 server, requesting PowerShell tasks.’
• [T1082] System Information Discovery – The payload collects system information as part of reconnaissance. ‘The third stage PowerShell script runs in an endless loop, enabling the actor to receive various PowerShell payloads from the C2.’ and ‘collects domain user names, OS information, architecture details, domain controller information, running processes, SIDs, local IP addresses, hostnames, and formats the data with the specified ID.’
• [T1021.006] Windows Remote Management (WinRM) – Lateral movement uses WinRM in PowerShell. ‘WinRM in PowerShell.’
• [T1021.002] SMB/Windows Admin Shares – Payloads are copied via SMB during lateral movement. ‘copying payloads via SMB.’
• [T1543.003] Create/Modify System Process: Windows Service – Remote services and scheduled tasks are created or manipulated via WinAPI calls. ‘using WinAPI calls for creating remote services and scheduled tasks.’
• [T1078] Valid Accounts – Exfiltrated credentials are used to spread within the environment. ‘exfiltrated credentials for spreading.’
• [T1036] Masquerading – Spoofing PowerShell process arguments by creating a new process before writing to stdin. ‘spoof PowerShell process arguments by creating a new process before writing the malicious script to the process’s standard input.’