Network Security, Malware, Threat Intelligence

Updated GootLoader malware variants emerge

Privacy concept: pixelated words Malware on digital background, 3d render

Attacks with the GootLoader malware used to distribute IcedID, REvil, Gootkit, and other payloads have intensified with the appearance of new variants of the loader, which has been associated with the Hive0127 threat operation, also known as UNC2565, reports The Hacker News.

Hacked websites have been compromised with the GootLoader JavaScript payload in the form of legal files, which when executed uses a scheduled task for persistence and triggers another JavaScript for data collection activities, a Cybereason analysis found.

Intrusions were also concealed through the exploitation of source code encoding, payload size inflation, and control flow obfuscation, according to researchers, who also highlighted the integration of GootLoader in Lodash, tui-chart, Maplace.js, jQuery, and other JavaScript library files.

"While some of the particulars of GootLoader payloads have changed over time, infection strategies and overall functionality remain similar to the malware's resurgence in 2020," said Cybereason researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.