Cybereason Threat Analysis investigates the ongoing activity and evolution of the GootLoader malware, noting that GootLoader 3.0 is currently active and the campaign is expanding to new post-exploitation tools. It details the use of SEO poisoning, a three-stage infection chain, and UNC2565’s role in delivering GootLoader and its variants via compromised web infrastructure. #GootLoader #UNC2565
Keypoints
- GootLoader remains actively developed and is evolving into several versions, with version 3.0 in active use.
- Infection relies on SEO poisoning to deliver obfuscated JavaScript payloads masquerading as business/legal documents.
- UNC2565 operates GootLoader to deploy post-exploitation malware and has introduced its own C2/lateral-movement tool, GootBot.
- The malware uses a three-stage infection chain: Stage 1 JavaScript payload, Stage 2 obfuscated payload dropped via a scheduled task, Stage 3 PowerShell-based discovery and C2 communication.
- Stage 3 PowerShell collects host information and handles C2 communications; data is compressed and encoded before transport.
- GootLoader employs heavy obfuscation and anti-analysis techniques, including code segmentation, array-based control flow, and Stage 2 payload inflation reaching tens of megabytes.
MITRE Techniques
- [T1608.006] Stage Capabilities: SEO Poisoning – ‘Threat actors abuse SEO poisoning to attract users toward drive-by download of GootLoader stagers.’
- [T1608.004] Stage Capabilities: Drive-by Target – ‘drive-by download of GootLoader stagers.’
- [T1584.006] Compromise Infrastructure: Web Services – ‘Threat actors abuse compromised web services (e.g. WordPress) to deliver GootLoader stagers.’
- [T1047] Windows Management Instrumentation – ‘GWMI command to fetch OS version.’
- [T1059.001] Command and Scripting Interpreter: PowerShell – ‘Stage 3 uses PowerShell to deobfuscate and execute…’
- [T1059.007] Command and Scripting Interpreter: JavaScript – ‘Stage 1 and Stage 2 use JavaScript.’
- [T1053.005] Scheduled Task/Job: Scheduled Task – ‘Scheduled Task created by Stage 1 to run Stage 2.’
- [T1027] Obfuscated Files or Information – ‘Obfuscate the JavaScript files by placing malicious code into legitimate JavaScript libraries.’
- [T1140] Deobfuscate/Decode Files or Information – ‘Deobfuscation methods…’
- [T1497.003] Virtualization/Sandbox Evasion: Time Based Evasion – ‘Anti-analysis methods with WScript Sleep.’
- [T1057] Process Discovery – ‘GPS: fetch list of currently running processes.’
- [T1652] Device Driver Discovery – ‘GDR: fetch disk usage.’
- [T1071] Application Layer Protocol – ‘C2 communication in Stage 3.’
- [T1132.001] Standard Encoding – ‘data encoded and compressed for C2.’
- [T1573] Encrypted Channel – ‘TLS used for C2.’
Indicators of Compromise
- [File] Stage 1 payload filenames – texas mutual combat laws 67138.js, common law marriage act jamaica 51570.js, and 2 more filenames
- [Domain] Compromised websites hosting archives for payload delivery – compromised WordPress sites used to host GootLoader stagers