Gootloader: Why your Legal Document Search May End in Misery

MITRE Techniques

• [T1189] Drive-by Compromise – SEO poisoning used to lure victims into downloading the malicious payload. Quote: “The initial vector of this attack utilizes a technique called Search Engine Optimization (SEO) poisoning to lure victims into downloading the malicious payload.”
• [T1566.002] Phishing: Spearphishing Link – Visitors to poisoned search results are directed to a page that mimics a forum to entice a download. Quote: “When visiting a poisoned link from the search engine result, the user will be directed to a page that mimics a forum.”
• [T1036] Masquerading – The fake forum page employs social engineering tactics to entice clicks on a direct download. Quote: “This fake forum page employs social engineering tactics to entice the user to click on a direct download link for the desired document file.”
• [T1027] Obfuscated/Compressed Files and Information – The external JavaScript is obfuscated, loaded from a script, and later deobfuscated/executed. Quote: “an external JavaScript is being loaded. This obfuscated JavaScript is responsible for overlaying the fake forum page…”
• [T1053.005] Scheduled Task – A new scheduled task named “Anger Management” is created to run dropped payloads. Quote: “A new scheduled task is created using a predefined task name “Anger Management”.”
• [T1059.001] PowerShell – PowerShell reconnaissance and stager; hardcoded PowerShell snippet executed via cscript/wscript. Quote: “The code contains a hardcoded PowerShell snippet that is executed…”
• [T1082] System Information Discovery – The stager collects OS version, environment paths, running processes, open windows, etc. Quote: “Environment paths… Windows OS version… Running process names… Titles of all open windows” and similar.
• [T1041] Exfiltration – Collected data is compressed, Base64‑encoded, and sent via HTTP Cookie header. Quote: “The stolen information is compressed using GZIP and then encoded with Base64. The stolen information is then sent to the URL via the HTTP Cookie header.”
• [T1046] Network Service Discovery – The PowerShell network scanner checks whether SMB and Windows Remote Management are open. Quote: “A PowerShell script that conducts network scans and fingerprinting of the local network, specifically examining if SMB (Server Message Block) and Windows Remote Management are open.”
• [T1047] Windows Management Instrumentation – WMI is used to gather system information. Quote: “the script utilizes the WMI (Windows Management Instrumentation) and ‘gps’ (Get-Process) PowerShell commands.”