Researchers from IBM X-Force have discovered a new variant of Gootloader, dubbed “GootBot” implant. This new variant enhances stealthy lateral movement, complicates its detection, and blocking of the Gootloader malware in an enterprise organization.
The research team at IBM has identified that the Goot-Campaign is exploiting SEO poisoning. This poses a risk to unsuspecting internet users who are seeking information.
Furthermore, the team describes GootBot, as a lightweight yet potent malware, that enables attackers to swiftly proliferate across the network and deploy additional payloads.
In the past, the loader served merely as an initial access malware, with attackers subsequently loading tools like CobaltStrike or using RDP to spread within an organization’s network.
The Gootloader A Custom Bot:
However, new discovery shows that the Gootloader group has introduced their custom bot into the late stages of their attack chain, in an effort to evade detections when using commonly available tools for C2 such as CobaltStrike or RDP.
The Gootloader infection stage actively involves the downloading of GootBot as a payload. It then receives Command-n-Control (C2) tasks in the form of encrypted PowerShell scripts, which it executes as jobs.
In contrast to Gootloader, GootBot is an obfuscated Power Shell (PS) script that is lightweight and contains only a single C2 server.
Each GootBot implant actively propagates across infected enterprise domains in large numbers, each containing a different C2 server running on a compromised WordPress site. The goal is to reach a domain controller.
Currently, GootBot has no detections listed on VirusTotal
This new change in TTPs (Tactics, Techniques, and Procedures), and tooling increases the risk of successful post-exploitation stages, of a Gootloader-linked ransomware affiliate activity.
Indeed the Gootloader group has developed a unique tool “GootBot” for C2 and lateral movement, making the tool a unique one different from other traditional post-exploitation frameworks such as CobaltStrike.
RECOMMENDATION:
The IBM research team recommends the following actions for internet users:
- Keep their anti-virus and related files updated.
- Enable script block logging and check Windows event logs for potential breaches.
- Watch for execution of JavaScript files in downloaded ZIP archives.
- Look out for scheduled tasks using wscript.exe to run JavaScript files with short names (*~1.JS).
- Check network traffic for unusual HTTP requests to URLs ending with “xmlrpc.php”.
- Be aware of suspicious cookie values: <BOT_ID>=<0/1 depending on user admin status>.
- Notice suspicious content format: <BOT_ID>=[sX<<random_int>><packet_seq_number>]<data>.
- Keep an eye on lateral movement via WinRM, WMI, or SCM.
- Disable or monitor the “Start-Job” Cmdlet.
We at Fixitgearware Security strongly recommend that you stay updated with the latest cyber breaches and information leakage.
As a reader of our article, we urge you to focus on the recommendations and Indicators of Compromise (IoCs) that our publication and the published organization’s dedicated research team presents. These IoCs act as crucial signals for potential security threats. By staying informed with these recommendations, you can significantly improve your cybersecurity measures and effectively safeguard your digital assets.
Put your comments below in the comment section on your thoughts about this.