A “GootBot” implant, a variant of the notorious Gootloader malware, has been discovered by the IBM X-Force team.
In an advisory published Monday, X-Force noted that Gootloader has typically been utilized as an initial access malware. However, the introduction of GootBot marks a critical shift in post-infection tactics.
Instead of relying on off-the-shelf tools like CobaltStrike or RDP, the Gootloader group employs GootBot for lateral movement. This custom tool enables threat actors to evade detection for extended periods, posing a heightened risk, including potential ransomware attacks.
GootBot is delivered as a payload following a Gootloader infection. It has the capacity to receive command-and-control (C2) tasks in the form of encrypted PowerShell scripts, allowing it to spread across infected enterprise domains. Of particular concern is the fact that GootBot implants currently maintain zero antivirus detections.
Read more on PowerShell-based malware: “PowerDrop” PowerShell Malware Targets US Aerospace Industry
The Gootloader group has a history of relying on SEO poisoning to manipulate search engine results, directing unsuspecting victims to compromised websites designed to appear legitimate. Once lured to these sites, victims unwittingly download the initial payload, believing it to be related to their original search queries.
Melissa Bischoping, director of Endpoint Security Research at Tanium, argued that most people are not well equipped to handle this kind of attack.
“Most security awareness training focuses heavily on phishing and other methods where an attacker sends something to the user,” she explained. “There’s a false sense of security that people place in search result top rankings, and an outdated mindset that the lock on the address bar means a site is safe.”
As GootBot spreads laterally within infected networks, it employs various methods such as WinRM in PowerShell, copying payloads via SMB and using WinAPI calls. This automated approach leads to hosts being reinfected multiple times, further complicating detection and mitigation efforts.
According to X-Force researchers Golo Mühr and Ole Villadsen, the discovery of GootBot underscores the persistence and ingenuity of cyber-attackers, who continually evolve their tactics to evade detection.
“The discovery of the Gootbot variant highlights the lengths to which attackers will go to evade detection and operate in stealth. This is a highly effective malware that allows attackers to move laterally across the environment with ease and speed and extend their attacks,” reads the advisory.
In response, Mühr and Villadsen recommended various security measures, including keeping antivirus software up to date, enabling script block logging and closely monitoring network traffic and scheduled tasks.