The active use of GootLoader, a malware, persists as threat actors aim to deliver additional payloads to compromised hosts.
An analysis by cybersecurity firm Cybereason revealed that GootLoader 3 is currently in active use with updates to the payload version.
Although certain details of the GootLoader payload have changed over time, the infection strategies and overall functionality remain consistent with the malware’s resurgence in 2020.
GootLoader, a malware loader associated with the Gootkit banking trojan, is utilized by a threat actor named Hive0127 (UNC2565). It leverages JavaScript for downloading post-exploitation tools and is distributed through search engine optimization tactics.
The malware serves as a conduit for delivering various payloads like Cobalt Strike, Gootkit, and others.
The GootLoader threat actors have introduced a new command-and-control tool named GootBot, signaling an expansion of their activities to target a wider audience for financial gains.
Attack chains involve compromising websites to host the GootLoader JavaScript payload under the guise of legal documents, enabling persistence and executing scripts for collecting system information.
Security researchers have noted that GootLoader employs source code encoding, control flow obfuscation, and other techniques to evade analysis and detection. The malware is sometimes embedded within legitimate JavaScript files.
The malware has undergone updates to enhance evasion and execution functionalities, according to the researchers.