GootLoader was born from GootKit, a banking trojan that first appeared around 2014. In recent years GootKit has evolved into a sophisticated and evasive loader — and it was given a new name to reflect its new purpose in 2021. The same group is responsible for both versions of the malware, and is monitored by Mandiant as UNC2565.
The evolution of GootLoader reflects the evolution of cybercriminal gangs. Many of the more sophisticated gangs are switching to a malware-as-a-service business model. They develop the malware, but less-advanced gangs or individuals pay for use of that malware. In this case, it is access (or victim) as a service. GootLoader provides access to victims primarily for ransomware. The access is likely taken up by ransomware-as-a-service (RaaS) groups who sell-on the access to ransomware groups or individual criminals. For further details on this business model, see Cyber Insights 2023: Criminal Gangs.
GootLoader continues to evolve. Researchers at Cybereason have published a deep dive into the latest version.
The infection journey starts within compromised WordPress sites. These sites are given greater validity through SEO poisoning techniques, with key words likely hidden within html code on valid pages. Google Ads may also be used. With a high search engine ranking, potential victims are more likely to visit the compromised site.
The primary targets are healthcare and finance within English speaking countries, such as the US, the UK and Australia.
As an aside, the researchers used ChatGPT to make some of the PowerShell code more easily understood. It was used, for example, to change the original variable names into more descriptively pertinent names. This it did effectively, but researcher Loic Castel told SecurityWeek that ChatGPT’s value to seasoned researchers is limited. “It cannot help with the more complex work – couldn’t help with the de-obfuscation – but it may be used by junior researchers in more basic stages.”
Lateral movement starts with disabling Microsoft Defender, and proceeds with Cobalt Strike loaded through DLL hijacking. SystemBC is deployed.
Cybereason was unable to see the final effect of GootLoader. The instance comes from its own telemetry where it detected and stopped GootLoader’s progress. The final malware deployment didn’t happen. But they did detect the deployment of SystemBC.
“SystemBC is what we call the precursor of ransomware,” explained Castel. “We often see it hours, maybe days, before the ransomware is actually deployed. This is something that is often deployed just before a ransomware attack.”
Any subsequent ransomware attack would almost certainly not have been delivered by UNC2565. Their function within the modern criminal ecosphere is to provide access to victims, and to sell that access to other criminals. The final payload is not pre-defined, but it seems likely to be particularly relevant for ransomware.
GootLoader is not a specifically targeted attack. However, some generalized targeting is achieved through the development of the original watering hole process. This suggests that this instance of the malware is aimed at the healthcare and finance sectors within English-speaking countries.
Cybereason assesses the GootLoader threat level as ‘severe’. The malware uses a combination of evasion and living off the land techniques, and its presence is unlikely to be spotted by anything other than AI-assisted anomaly detection.