The operators of the Gootloader malware that is used to gain a foothold in enterprises now have a new weapon in the form of a variant that can more easily move laterally through compromised networks and is more difficult to detect and block.

The introduction of the GootBot implant makes what already was a significant threat even more dangerous, according to IBM’s X-Force threat intelligence group.

“Previously, Gootloader was only observed as an initial access malware, after which attackers would load tools like CobaltStrike or use RDP to spread within the network,” X-Force researchers Golo Mühr and Ole Villadsen wrote in a report this week. “Campaigns leveraging GootBot for lateral movement constitute a significant change in post-infection TTPs [tactics, techniques, and procedures], as this custom tool enables threat actors to stay under the radar for a longer period.”

Gootloader for almost a decade has been a popular tool for bad actors looking to gain initial access into a targeted environment and create a pathway for deploying other threats. Google-owned security firm Mandiant wrote earlier this year that it was constantly responding to Gootloader infections and attributed the malware and accompanying infrastructure to a group referred to as UNC2565 – IBM calls the group Hive0127  — which is consistently improving the malware.

Some Changes a Year Ago

Since early 2022, Mandiant researchers said the group started making notable changes in its operations, including using multiple versions of the FoneLaunch launcher, new follow-on payloads, and alterations to the Gootloader downloader and infection chain.

“These changes are illustrative of UNC2565’s active development and growth in capabilities,” they wrote.

GootBot appears to fall into the category of capabilities growth. According to IBM, the custom tool for command-and-control (C2) and lateral movement is being used in lieu of CobaltStrike and other post-exploitation frameworks, making it more difficult for enterprise protections to detect.

Gootloader is delivered via SEO poisoning tactics – where bad actors manipulate search engine algorithms to promote malicious web pages and get them ranked highly on Google or Microsoft Bing searches, where they’re more likely to be trusted by unsuspecting users – and compromised WordPress site, giving initial access for other threat groups who want to deploy ransomware and other malware.

Hive0127 usually targets online searches for business-related documents like contracts and legal forms, with victims presented with a compromised site that appears legitimate and later tricked to download an archive file that contains Gootloader, which is then used by other cybercriminals to load such second-stage payloads as Cobalt Strike, IcedID, and SystemsBC.

GootBots Everywhere

Now, “after an infection, large amounts of GootBot implants are disseminated throughout corporate environments with each containing a different hardcoded C2 server, making it difficult to block,” Mühr and Villadsen wrote, adding that the time the report was written, “GootBot implants maintain zero AV [antivirus] detections on VirusTotal, enabling it to spread stealthily.”

Typically, once in a system, Gootloader will distribute GootBot among other malware payloads. GootBot has similar capabilities as Gootloader, but there are differences.

“Unlike Gootloader, GootBot is a lightweight obfuscated [PowerShell] script, containing only a single C2 server. GootBot implants, each of which contains a different C2 server running on a hacked WordPress site, spread throughout infected enterprise domains in large numbers in hopes of reaching a domain controller,” they wrote.

GootBot was made to move laterally through a compromised corporate environment. Once an initial system is infected, the malware receives scripts detailing the host and domain, Mühr and Villadsen wrote. In addition, there are several scripts that use disparate techniques to spread the GootBot payload to other hosts.

“GootBots’ C2 infrastructure can quickly generate large numbers of GootBot payloads to be disseminated, each with a different C2 address to contact,” they wrote. “These are deployed by lateral-movement scripts in an automated fashion, which may also lead to hosts being reinfected multiple times.”

GootBot also runs reconnaissance, collecting such information as domain user key, domain controllers, running processes, local IP address, and the hostname.

Awareness is Important

The introduction of GootBots into a Gootloader infection increases the threat to organizations, with the X-Force researchers saying enterprise security teams need to become familiar with its tactics.

“This is a highly effective malware that allows attackers to move laterally across the environment with ease and speed and extend their attacks,” they wrote. “In addition, Hive 0127’s usage of large clusters of compromised WordPress domains makes it increasingly difficult for defenders to block malicious traffic.”

Gootloader isn’t the most active malware loader. In a recent report by managed security provider ReliaQuest outlining the most used malware loaders, Gootloader was fourth on the list. The first three – QakBot, SecGholish, and Raspberry Robin – combined accounted for 80% of cybersecurity incidents tracked by ReliaQuest. Gootloader accounted for 3%.

However, it’s been around since 2014 and the operators continue to modify its capabilities, as GootBot shows, and Mühr and Villadsen wrote that as “Gootloader frequently serves as an initial access provider, awareness of these evolving TTPs and tools is important to mitigate the risk of impactful post-exploitation activity.”