GootLoader Malware

What Is GootLoader Malware?

GootLoader is a stealthy malware classified as a first-stage downloader designed to attack Windows-based systems. It is considered an Initial-Access-as-a-Service (IAaaS) tool used within a Ransomware-as-a-Service (RaaS) criminal business model. GootLoader’s earliest second-stage payload and the source of its name, GootKit, is a banking trojan and stealer that has been in use since 2014. It includes JavaScript and C++ modules to execute remote commands, man-in-the-browser attacks, keystroke exfiltration, screenshots, and stealing credentials.

GootLoader has only been in use since late 2020, but in its short lifespan, it has evolved from a mere Gootkit downloader into a multi-payload malware platform capable of delivering sophisticated second-stage payloads such as Cobalt Strike beacon and REvil ransomware

Notably, GootLoader has been deployed via search engine optimization (SEO) poisoning to funnel victims toward drive-by download campaigns that deliver its first-stage payload. It has been observed in attacks against organizations across many industries, including military, financial, legal, banks, manufacturing, and business service organizations, primarily in the U.S., Canada, France, Germany, and South Korea.

GootLoader is known for its multi-stage attack process, obfuscation tactics, and for using SEO poisoning to honeypot victims into social engineering traps. SEO poisoning involves hijacking a highly ranked website or creating fake business websites that target long-tail (specific) search terms to appear at the top of Google search engine results pages. SEO poisoning allows attackers to entice visitors with trojanized software and documents promising to increase worker productivity.

SEO redirection, a technique used in SEO poisoning, modifies a compromised web server’s configuration to forward visitors to an attacker-controlled website. SEO redirection also effectively transfers any Google search engine rank to the malicious domain URL, stealing the legitimate site’s search popularity.

GootLoader’s First-Stage Tactics for Gaining Initial Access

  • Exploiting WordPress vulnerabilities on sites that offer professional services or gaming hacks to entice victims with claims of providing valuable information or document templates
  • Malicious JavaScript [.js] files that impersonate a legitimate document 
  • Delivery within ZIP archives to avoid detection from less sophisticated endpoint security products
  • Using web browser attacks known as Highly Evasive Adaptive Threats (HEAT) to evade detection by security products by hijacking the browser’s process to execute exploit code

GootLoader’s second-stage payload can successfully deploy onto a target’s device undetected using an advanced fileless technique known as reflective loading—allocating then executing payloads directly within the memory of an ongoing process rather than that of a separate process. GootLoader can also maintain persistence using PowerShell commands to create a scheduled Windows task that periodically loads and runs the primary payload. A full technical explanation of GootLoader’s exploit path can be found in a technical analysis of its payload.

GootLoader’s Second-Stage Payloads

  • Downloading additional malware, including the Cobalt Strike exploitation tool and Kronos malware
  • Installing Gootkit banking Trojan to execute remote commands for performing man-in-the-browser attacks, exfiltrating keystrokes, taking screenshots, and stealing credentials
  • Executing REvil (Sodinokibi) ransomware to encrypt data and demand ransom

Signs of a GootLoader Attack

When tested, GootLoader produced low detection rates—less sophisticated endpoint security products, such as malware scanners, aren’t likely to identify a GootLoader. Instead, users should be aware of signs indicating a potential social engineering attack and be especially suspicious of websites offering free professional document templates. An analysis of recent Gootleader campaigns shows that free legal templates have been a prevalent attack vector.

How to Prevent a GootLoader Attack

Preventing a GootLoader attack largely depends on creating a security-first sense of user awareness regarding untrusted sources of documents and software. Defending against GootLoader can also be supported by next-gen security products such as Endpoint Detection and Response (EDR) solutions. 

Defensive tactics that can prevent or significantly reduce the harm caused by a GootLoader attack:

  • Audit all Windows systems for installed software, including browser plug-ins
  • Ensure that only authorized, digitally signed software is installed on all endpoints; regularly scan for and block from executing any unauthorized software 
  • Improve security visibility into remote workers’ systems with endpoint security products that offer remote attestation
  • Consider user awareness training to educate employees about the security risks of trusting search engine results and documents from unknown sources
  • Use a content proxy to monitor internet usage and restrict user access to suspicious or risky sites
  • Enforce multi-factor authentication for all critical services
  • Implement modern Identity and Access Management (IAM) tools 
  • Install and configure advanced endpoint security products on all endpoints to detect indicators of compromise (IOCs) and take defensive action to block malicious files from executing

If you’re battling this malware or a similar threat, we're here to help. The BlackBerry Incident Response team is made up of world-class consultants dedicated to handling response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global consulting team standing by to assist you, providing around-the-clock support where required, as well as local assistance.