The Silent Threat Among Us
Originating as a banking trojan and stealer in 2014, GootLoader has transformed into a sophisticated multi-payload malware platform. It now operates within a Ransomware-as-a-Service (RaaS) criminal business model, offering Initial-Access-as-a-Service (IAaaS).
GootLoader doesn’t discriminate when it comes to targets, having been involved in activities against various industries, including Military, Legal, Financial, Banks, Manufacturing, and Healthcare. Its primary focus has been on regions such as the United States, Canada, France, Germany, Australia, and South Korea.
GootLoader’s Infection Chain
The infection chain employed by GootLoader is sophisticated, utilizing search engine poisoning and compromised websites to drive victims into unintentional drive-by download activities. The concealed JavaScript payload is nested within a compressed ZIP file, disguising the first-stage payload as a seemingly innocent document. We’ll delve into the intricacies of GootLoader’s execution pattern during 2022, involving WScript, CScript, and Windows Registry keys for payload staging.
Emulating GootLoader with AttackIQ Flex
To confront the dynamic threat posed by GootLoader, organizations can take advantage of AttackIQ Flex. Before diving into testing, users can sign up for AttackIQ Flex for FREE, gaining access to a robust agentless breach and attack simulation tool.
AttackIQ Flex facilitates comprehensive testing of security controls. Users can assess the performance of their defenses against digital freeloaders like GootLoader, a tool widely favored by criminal groups. Through emulations based on AttackIQ’s attack graphs, organizations can identify and address gaps in their security infrastructure.
Security is an ongoing process, and AttackIQ Flex supports continuous validation. Organizations can regularly and discreetly test and refine their detection and prevention pipelines against the evolving intrusion chains of GootLoader and other threat actors, ensuring they remain resilient against digital freeloaders operating in the shadows.
Scenarios included in GootLoader AttackIQ Flex Package:
- List Environment Variables via “set” Command
- Persistence Through Scheduled Task
- Save 2022-01 FONELAUNCH Loader Sample to File System
- System Network Configuration Discovery via “GetAdaptersInfo” Native API
- Save 2022-04 GootLoader Malicious ZIP Sample to File System
- Process Hollowing
- Download 2022-04 GootLoader Malicious ZIP Sample to Memory
- Save 2022-05 BokBot Sample to File System
- Reflective DLL Injection
- Create Registry Entry
- User Security Identifier (SID) via “LookupAccountNameW” Native API
- Download 2022-05 BokBot Sample to Memory
- System Owner/User Discovery via “GetUserNameW” Native API
- System Information Discovery via “GetComputerNameExW” Native API
- Save 2022-04 GootLoader Malicious JS Sample to File System
- Exfiltrate Text File Containing Windows System Profiling Data via HTTP to Test Server
- System Information Discovery via Native API
- JavaScript File Execution via “cscript.exe” Script
- Download 2022-01 FONELAUNCH Loader Sample to Memory
Conclusion
GootLoader poses a formidable and stealthy threat, but with AttackIQ Flex, organizations can proactively strengthen their covert security posture against freeloaders. If you’d like more technical information on GootLoader, its targets, infection chain, and attack graphs, read the AttackIQ Adversary Research Team’s blog. We encourage organizations like yours to embrace security validation as it will undoubtedly enhance your ability to discreetly thwart evolving cyber threats.