Gootbot: A new post-exploitation implant for lateral movement – CSO Online

The Gootloader malware gang's custom bot is designed to avoid detection during late stages of the attack chain.

The creators of Gootloader, a malicious program commonly used to deploy ransomware and other malware threats on enterprise networks, have developed a new second-stage implant. Dubbed GootBot, the new post-exploitation tool is written in PowerShell and is pushed to other systems on compromised networks via lateral movement techniques.
“The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 [command-and-control] such as CobaltStrike or RDP,” researchers from IBM X-Force said in a new report. “This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads.”
The Gootloader group, tracked as Hive0127 by X-Force or UNC2565 by Mandiant, has operated for many years, initially by developing and spreading a trojan program called Gootkit that was focused on stealing online banking credentials. Gootloader is the group’s first-stage component — or malware loader — that was used to deploy Gootkit on infected systems.
Like TrickBot and other banking trojan creators, the Gootkit developers joined the lucrative ransomware ecosystem several years ago and pivoted from stealing and selling online banking credentials to on-demand deployment of malicious payloads for other cybercriminals. For example, the Gootloader group had a notable partnership with the now defunct REvil ransomware gang.
As a provider of initial access services, the Gootloader component became much more important to the group’s operations than the Gootkit trojan itself so the group started deploying other second-stage implants like Cobalt Strike, a commercial penetration testing tool, that would provide it with persistent access to compromised systems and command-and-control (C2) capabilities.
First-stage malware loaders such as Gootloader are usually lightweight programs or scripts whose goal is to collect basic information about systems and download secondary payloads from hardcoded locations and deploy them. They don’t have advanced capabilities like advanced C2 mechanisms that allow back-and-forth communication with attackers and on-demand command execution.
Gootloader itself is written in JavaScript and is distributed through black hat search engine optimization (BHSEO) campaigns that involve using compromised websites to inject rogue results into search engines. Gootloader search result poisoning campaigns typically target keywords for business documents specific to different industries.
“Hive0127 typically targets online searches for contracts, legal forms or other business-related documents; for example: ‘Is a closing statement the same as a grand contract?’,” researchers from X-Force explain. “Targets are served a compromised website modified to appear as a legitimate forum at the top of the poisoned search engine results page. Within the forum conversation, the targets are then tricked into downloading an archive file related to their initial search terms, but which actually contains Gootloader.”
Upon execution, Gootloader drops a malicious JavaScript file in an existing folder from the %APPDATA% directory and sets up a scheduled task to ensure its persistent execution at restart. The JavaScript file then executes a PowerShell script that collects basic information about the system and uploads it to ten hard-coded URLs — usually compromised WordPress websites. The script also searches in a loop for additional PowerShell payloads to download and execute from those servers.
In past campaigns, this is the stage where attackers deployed Cobalt Strike or other more advanced payloads. However, the X-Force researchers recently observed a new payload in the form of an obfuscated PowerShell script that reaches out to a single C2 server and waits for additional tasks to execute. They named this payload GootBot since it’s a more lightweight variant of Gootloader itself.
“As a response, GootBot expects a string consisting of a Base64-encoded payload, and the last eight characters being the task name,” the researchers said. “It then decodes the payload and injects it into a simple scriptblock before executing it in a new background job using the ‘Start-Job’ Cmdlet. This allows the PowerShell payload to be run asynchronously and without creating a child process, potentially resulting in less EDR detections.”
What makes GootBot different is that it’s not only deployed on the system where Gootloader was first executed, but also to other systems from the same network. The payloads that GootBot receives are PowerShell scripts used for lateral movement that enumerate network systems and the domain and exfiltrate credentials by dumping the memory of the LSASS process, as well as registry hives such as SAM, SYSTEM, and SECURITY.
These credentials are then used to push new GootBot instances to other systems on the network using a variety of techniques such as WinRM in PowerShell, the Windows Management Instrumentation (WMI) interface or the Invoke-Command Cmdlet. Copying payloads via SMB and WinAPI calls to SCM (Service Control Manager) to create remote services and scheduled tasks have also been observed.
Each new GootBot instance has a unique C2 server defined and the script itself has a very low detection rate. The detection rate was zero on the VirusTotal multi-engine antivirus scanner when X-Force came across the new payload.
“This is a highly effective malware that allows attackers to move laterally across the environment with ease and speed and extend their attacks,” the researchers said. “In addition, Hive 0127’s usage of large clusters of compromised WordPress domains makes it increasingly difficult for defenders to block malicious traffic.”
Lucian Constantin writes about information security, privacy, and data protection for CSO.
Sponsored Links