An “aggressive threat actor” is targeting the finance and healthcare sectors with Gootloader malware and SEO poisoning tactics, according to the Cybereason Incident Response team. The threat level should be viewed as severe, “given the potential of the attacks.”
“The threat actor displayed fast-moving behaviors, quickly heading to control the network it infected, and getting elevated privileges in less than 4 hours,” researchers wrote.
Cybereason investigated a successful incident in December that used new deployments of Gootloader, which revealed a number of concerning tactics, including the SEO poisoning techniques to lure victims into downloading malicious payloads. These methods have been used in other recent attacks, spotlighting the possibility of an ongoing campaign.
The attack analysis confirmed multiple layers of obfuscation and the “existence of multiple JavaScript loops that makes the execution longer, probably acting as an anti-sandbox mechanism.”
Gootloader is a highly evasive variant that masquerades with legitimate JavaScript code to hide from traditional security mechanisms. Beginning as a trojan in 2014, the actors transitioned to a malware loader in 2021, adding the Gootloader name. Mandiant has given the operators the name UNC2565, while Sophos first dubbed the variant "Gootloader."
“The actors create websites or populate web forums or similar websites with specific keywords and links, leading to a website hosting the infected file,” researchers wrote. As noted, the threat actors leverage SEO poisoning tactics to bring its infected pages to the top of internet browser search results to appear as legitimate sites.
“SEO poisoning and Google service abuse, in general, have been documented a lot recently, which indicates this infection vector is becoming common for threat actors,” they added.
The team “observed the deployment of Gootloader through heavily obfuscated JavaScript files with a file size of more than 40 Megabytes,” as well as the use of fake search engine ads linked to the infected piece of malware.
The infections follow a similar flow: tricking a user into downloading the malware using the above tactics, prompting a ZIP file decompression that leads to the first- and second-stage payloads, and leading to a massive file meant to throw off security tools.
Researchers note that most of the domains in the Gootloader PowerShell second stage script had one item in common: “/xmlrpc.php" was displayed in relation to VirusTotal. The actors behind the variant commonly use compromised WordPress websites to use as C2 servers.
After a Gootloader infection, the threat actor used “hands-on keyboard activities” that led to further deployment of attack frameworks, Cobalt Strike and SystemBC, “a proxy malware leveraging SOCKS5 and often used during the exfiltration phase of an attack.”
The attacks have also used DLL Hijacking “on top of a VLC MediaPlayer executable.” These frameworks are used in both the infection and lateral movement stages of attacks.
A successful infection would give a threat actor the ability to remotely control the victim’s device and gather system information, before launching into a “discovery process” to select the most interesting targets. Gootloader also enables attackers to maintain persistence through scheduled task, gather data, and maintain remote control.
What’s more, “the attacker has resilience over the C2 as 10 different compromised websites are configured for the specific analyzed Gootloader payload.” Cybereason’s report contains a host of IOCs and technical details on Gootloader tactics, which can support both detection and remediation.
Given the spate of targeted ransomware and DDoS attacks on healthcare, provider organizations should be on high alert.
