The Gootloader group has developed a new variant for command-and-control (C2) and lateral movement — dubbed "GootBot" — that has been observed in campaigns leveraging SEO-poisoned searches for contracts, legal forms, and other business documents.
In a blog post Nov. 6, IBM X-Force researchers said GootBot directs victims to compromised sites designed to look like legitimate forums where they are then tricked into downloading the initial payload as an archive file. The IBM researchers said after an infection, large amounts of GootBot implants are disseminated throughout corporate environments with each containing a different hardcoded C2 server, making it difficult to block.
At the time of this writing, GootBot implants maintain zero AV detections on VirusTotal, which the researchers said allows it to spread stealthily. The researchers also pointed out that Gootloader has served as an initial access provider and successful infections have been known to lead to ransomware.
The Gootloader group, which X-Force tracks as Hive0127 (aka UNC2565), has been active since 2014 and relies on a combination of SEO poisoning and compromised WordPress sites to deliver Gootloader. These infections offer initial access for other threat actors, including ransomware affiliates, and attacks have led to follow-on payloads such as IcedID, Cobalt Strike, and SystemBC.
SEO poisoning drives users to malicious payloads by manipulating the search results for key terms, explained Melissa Bischoping, director, endpoint security research at Tanium. Bischoping added that most security awareness training focuses heavily on phishing and other methods where an attacker sends something to the user.
“There’s a false sense of security that people place in search result top rankings, and an outdated mindset that the lock on the address bar means a site is safe,” said Bischoping. “The attackers behind these tactics are targeting users who are likely to be in non-IT roles as evidenced by their searches focused on legal, financial, or HR topics. They are likely hoping those users will be less aware of these tactics, less tech savvy, or perhaps more trusting.”
Anurag Gurtu, chief product officer at StrikeReady, added that GootBot's importance lies in its sophistication and evolution. Gurtu said it represents an advanced stage in the evolution of malware delivery mechanisms. Unlike its predecessors, Gurtu said GootBot uses a "stealthier" approach to avoid detection and employs social-engineering tactics to lure users into enabling its malicious payload. This evolution indicates that threat actors are continuously innovating to bypass conventional security measures.
“Security teams should take a multi-layered approach to protect their systems against GootBot and similar threats,” said Gurtu. “First, they should ensure that all endpoints are protected with up-to-date antivirus software that can recognize and neutralize such threats. Second, it's crucial to implement a robust education program to train staff on how to recognize social engineering and phishing attempts. Further, since GootBot uses fileless techniques for post-exploitation, organizations should also consider employing advanced threat detection systems that can identify and respond to anomalous behaviors typical of such fileless attacks, even if the initial infection vector isn't immediately identifiable.”
Casey Ellis, founder and chief strategy officer at Bugcrowd, said this case struck him as a very organized and thoughtful initial access broker (IAB).
“Their watering-hole style deployment of malicious SEO isn’t particularly targeted, however, it suits the opportunistic attack model of an IAB quite well,” Ellis said. “For defenders, it’s important to remember that organized cybercrime continues to evolve, stratify, and mature, and that the threat actor behaviors now include this type of ‘long, wide’ game.”
