GootLoader, a JavaScript downloader malware, is actively used to deliver various malicious payloads, including ransomware, by leveraging SEO poisoning to trick victims into downloading a malicious JavaScript file disguised as a legal document.
The downloaded file then downloads further malware onto the infected machine, as GootLoader is part of the GootKit malware family, but attackers seem to be using GootLoader more to deliver a wider range of malware.
UNC2565 is a threat actor group that uses GootLoader malware to deliver various malicious payloads, like Cobalt Strike and ransomware.
Once the JavaScript is executed, it establishes persistence, downloads a second-stage payload, and then uses PowerShell to run a third-stage that collects system information and communicates with the command and control server, while the heavy obfuscation of the payloads makes detection and analysis difficult.
The GootLoader infection starts with users downloading an archive containing a JavaScript file (first-stage payload) from compromised websites disguised as legitimate document sources.
The first-stage payload, obfuscated and large, executes via wscript.exe, dropping a second-stage payload and creating a scheduled task to run it for persistence. The second-stage payload, also obfuscated and large, uses wscript.exe, then switches to cscript.exe to spawn a PowerShell instance for further malicious activities.
ANALYSIS OF GOOTLOADER 3.0
GootLoader’s Stage 1 is an obfuscated JavaScript disguised as legal documents that scatters malicious code within legitimate libraries and executes it through a convoluted process. First, it deobfuscates segmented code by string concatenation across functions, and then it retrieves functions from an array and executes them through a loop.
Finally, the deobfuscated code within the final function drops Stage 2 as a.dat or.log file, inflates it with additional strings, renames it to .js, and schedules its execution, which makes analysis and detection difficult.
Stage 2 The GootLoader payload obfuscates and executes code in segments by checking the current process and spawning PowerShell if needed to execute the final PowerShell script (Stage 3). Stage 3 gathers system information like environment variables, OS version, disk space, and running processes.
It compresses and encodes this data before sending it to the C2 server through an HTTPS request with the information hidden in the cookie header, which responds with a string containing further instructions, which Stage 3 extracts and executes.
According to Cybereason, it used to deploy GootKit and REvil ransomware and leverage SEO poisoning for widespread distribution, as its obfuscation relies on control flow techniques like segmented code and function arrays.
Stage 1 downloads obfuscated Stage 2 payloads from C2 servers based on domain membership (pre-v3.0), while Stage 3 utilizes PowerShell for reflective loading of.NET DLLs (v1.0 & 2.0) or C2 communication and post-exploitation tasks (v3.0).