GootBot: A Stealthy Game Changer in Malware

A new variation of the notorious GootLoader malware has made its debut, and it goes by the name of GootBot. 

This latest development reveals a malware that not only facilitates lateral movement within compromised systems but also possesses a remarkable ability to fly under the radar, avoiding detection.

Cloud, Social Media, or Post-Exploitation Stage: What Else Will You Save?

Threat actors associated with Kinsing were found exploiting the Linux privilege escalation vulnerability known as Looney Tunables (CVE-2023-4911) in an experimental campaign aimed at breaching cloud environments. 

They extracted credentials from Cloud Service Providers, marking a strategic shift from their typical cryptocurrency mining operations.

Simultaneously, compromised Facebook business accounts are being used to spread bogus ads, enticing victims to download an updated version of the NodeStealer malware. 

These ads use revealing images of young women to lure victims and once clicked, a malicious .exe file is downloaded, allowing the attackers to steal browser cookies and passwords. 

NodeStealer, initially disclosed by Meta, is part of a growing cybercrime ecosystem in Vietnam.

In a separate development, attackers are targeting users of the Roblox gaming platform with phishing links, seeking to steal credentials and the in-game currency, Robux. 

The media has been saying for years that evil cults abusing kids on a large scale is a conspiracy theory… Well, the FBI just caught a Satanic cult called 764 that was sexually abusing kids on a large scale. They targeted little kids via Roblox, Telegram, Discord and other social… pic.twitter.com/Fe5vbPmFnw

— Robby Starbuck (@robbystarbuck) September 29, 2023

This is particularly concerning given that a substantial portion of Roblox users are under 13 years old, potentially making them more susceptible to such scams.

A Strategic Shift in GootLoader’s Tactics

IBM X-Force researchers have discovered a significant shift in the GootLoader group’s strategy. 

TA569 leverages many types of injections, traffic distribution systems (TDS), and payloads including, but not limited to, SocGholish.

In addition to serving as an initial access broker, these additional injects imply TA569 may be running a pay-per-install (PPI) service pic.twitter.com/aXrQcemnIN

— Andrew Northern 🧛 (@ex_raritas) February 27, 2023

They have introduced a custom bot into the later stages of their attack chain, a calculated move to evade standard detection techniques that might flag off-the-shelf tools for command and control (C2), such as CobaltStrike and Remote Desktop Protocol (RDP). 

GootBot stands out as a lightweight yet highly effective weapon that enables cyber attackers to infiltrate networks and deploy additional malicious payloads swiftly.

The Deceptive Mastermind!

True to its name, GootLoader is a master at enticing potential victims. It uses search engine optimization (SEO) poisoning tactics to lure unsuspecting individuals, ultimately downloading subsequent stages of malware. 

The vicious campaign is attributed to a threat actor called Hive0127, also called UNC2565.

The #GOOTLOADER #decoder now parses the scheduled task properties and dropped files. #UNC2565 #Mandianthttps://t.co/4h3l8qcSeg

— Andy Morales (@Andy2002a) September 27, 2023

Silent Infiltration

The use of GootBot marks a significant tactical shift. Instead of employing post-exploitation frameworks like CobaltStrike, this implant is downloaded as a payload after a GootLoader infection. 

Described as a PowerShell script, GootBot establishes a connection with a compromised WordPress site, serving as the command and control center, where it awaits further instructions.

Unpredictable C2 Servers

Adding to the complexity is the unique hard-coded C2 server allocated to each GootBot sample. This approach attempts to block malicious network traffic, making it challenging for defenders.

Deception Which Leaves You Stunned!

Campaigns leveraging GootBot have been observed employing SEO-poisoned search queries and masking themes like contracts, legal documents, and business-related materials. 

These queries lead victims to compromised websites artfully designed to mimic legitimate forums. Victims are deceived into downloading an initial payload packaged as an archive file.

The archive file conceals a JavaScript component that, once executed, triggers the retrieval of another JavaScript file via a scheduled task, ensuring persistence. 

Next, this JavaScript executes a PowerShell script. 

This script is responsible for gathering system information and transmitting it to a remote server, which, in turn, responds with a PowerShell script set to run indefinitely. 

This provides threat actors with the capability to disseminate various payloads, including GootBot.

How Long Will You Go For Cyber Security?

The wide-ranging capabilities of GootBot encompass activities such as reconnaissance and executing lateral movements within the compromised environment, effectively expanding the scope and impact of the attack.

Cyber attacks are willing to go in their quest to avoid detection and operate covertly. This shift in tactics and tools raises concerns about the heightened risk of successful post-exploitation stages. 

It has become essential to prevent lateral movements, data exfiltration, privilege escalation, and persistence in attacks to avoid long-term damages.