Keypoints
- GootLoader now operates as an initial access-as-a-service platform delivering second-stage payloads like GootKit.
- Actors use SEO poisoning and manipulated search results to host malicious .zip files masquerading as legitimate downloads.
- The first-stage is a small obfuscated JavaScript that drops a larger JavaScript payload and establishes persistence.
- Persistence methods observed include scheduled tasks that launch dropped .js via WScript/CScript and PowerShell.
- Static and dynamic analysis (including auto-decoding scripts and network captures) revealed obfuscation, malicious domains, and exfiltration over web services.
- Sophos X-Ops MDR discovered this campaign via threat hunting after identifying a new GootLoader variant tied to search queries like “Are Bengal Cats legal in Australia?”
MITRE Techniques
- [T1608.001] Resource Development – SEO poisoning used to upload and distribute malicious files (‘Are Bengal Cats legal in Australia?’)
- [T1189] Initial Access – Drive-by compromise through search-engine results that lead to a malicious .zip download (‘a suspicious .zip file was downloaded’)
- [T1059.007] Execution – Command and scripting interpreter (JavaScript) used to execute the loader and drop secondary scripts (‘wscript REHABI~1.JS’)
- [T1053.005] Persistence – Scheduled Task/Job creation to run the dropped JavaScript regularly (‘Scheduled task named “Business Aviation”‘ / ‘Destination Branding’)
- [T1027.009] Defense Evasion – Obfuscated files or information employed in JavaScript to hinder static analysis (‘heavily obfuscated’)
- [T1082] Discovery – System information discovery where scripts enumerate directories and host information sent in requests (‘enumeration information regarding device directories and host information’)
- [T1567] Exfiltration – Exfiltration over web service where encoded data is sent via HTTP requests to attacker-controlled domains (‘GET /xmlrpc.php HTTP/1.1’ with Base64-encoded cookies)
Indicators of Compromise
- [Domain/URL] Malicious landing pages used for SEO poisoning – hxxps://ledabel[.]be/en/are-bengal-cats-legal_in_australia…, hxxps://www[.]chanderbhushan[.]com/doc[.]php, and other malicious domains observed in PCAPs.
- [File name] Downloaded/embedded loader and scripts – Are_bengal_cats_legal_in_australia_33924.zip, are bengal cats legal in australia 72495.js (filenames vary by numeric suffix).
- [File path] Dropped second-stage JavaScript locations – C:UsersAppDataRoamingNotepad++Small Unit Tactics.js and other AppDataRoaming paths.
- [Scheduled Task / Command] Persistence artifacts and commands – Scheduled task names ‘Business Aviation’ and ‘Destination Branding’ with command lines like ‘wscript REHABI~1.JS’ / ‘wscript SMALLU~1.js’.
————
GootLoader’s operators are exploiting search results to plant JavaScript-based loaders that look like legitimate downloads. Users searching common queries—illustrated by the lure “Are Bengal Cats legal in Australia?”—were redirected to compromised pages that served a small obfuscated .js inside a .zip; that script then dropped a larger, heavily obfuscated JavaScript into AppData and attempted to establish persistence.
During Sophos X-Ops MDR’s hunt for a recently identified variant, investigators observed the loader creating scheduled tasks (e.g., “Business Aviation” / “Destination Branding”) that invoked WScript/CScript and spawned PowerShell activity reaching out to attacker-controlled domains. Network captures showed HTTP GET requests (including Base64-encoded cookies) that contained enumerated system and user directory information, indicating collection and exfiltration over web services.
Static decoding (using Mandiant’s auto-decoder) and dynamic analysis confirmed GootLoader variant 3.0 behavior: randomized filenames, heavy obfuscation, embedded domain lists, and staged execution aiming to deliver GootKit as a second-stage payload — a stealthy info-stealer and RAT capable of deploying follow-on tooling such as Cobalt Strike or ransomware if successful. Organizations should treat unusual search-result downloads and off-path domains with suspicion, and use endpoint protections plus hunting to detect these staged JavaScript loaders.