GootBot, a new variant of the GootLoader malware, has been detected to enable lateral movement on compromised systems and avoid detection.
Golo Mühr and Ole Villadsen of IBM X-Force said that the GootLoader group introduced their own custom bot into the final stages of their attack chain in an effort to evade detection while employing commercial C2 tools like CobaltStrike or RDP.
"This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads," the researchers explained.
As its name suggests, GootLoader is a malware that can lure in potential victims by employing search engine optimisation (SEO) poisoning techniques, and once inside, it can download more sophisticated malware. It is linked to a threat actor known as UNC2565, also tracked as Hive0127.
The use of GootBot suggests a change in strategy from post-exploitation frameworks like CobaltStrike, with the implant being downloaded as a payload following a Gootloader infection.
GootBot, which is described as an obfuscated PowerShell script, is designed to connect to a WordPress website that has been compromised in order to take control of it and issue commands.
The use of an alternate hard-coded C2 server for every deposited GootBot sample complicates matters even more and makes it challenging to block malicious traffic.
"Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file," the researchers added.
An obfuscated JavaScript file included in the archive file is executed by a scheduled task to retrieve another JavaScript file for persistence.
The second stage involves the engineering of JavaScript to execute a PowerShell script that collects system information and exfiltrates it to a remote server. The server then responds with another PowerShell script that runs indefinitely and gives the threat actor the ability to disperse different payloads.
Among them is GootBot, which sends out beacons to its C2 server once every 60 seconds to retrieve PowerShell tasks to be executed and sends back HTTP POST requests to the server with the results of the execution.
GootBot's other skills include reconnaissance and lateral movement, which let it effectively increase the attack's range.