Member
- Joined
- Oct 14, 2023
- Messages
- 225
- Thread Author
- #1
IBM described the successor to GootLoader and the difficulties of blocking its servers.
The IBM X-Force team discovered a new version of the GootLoader loader, called Gobot. The new version allows you to perform Lateral Movement on compromised systems and evade detection. GootLoader, which uses SEO poisoning tactics, is known for its ability to deliver next-stage malware to the system and is associated with the Hive0127 (UNC2565) grouping.
Gobot is an obfuscated PowerShell script designed to connect to a compromised WordPress site to receive additional commands. The situation is complicated by the use of a unique hard-coded C2 server (Command and Control, C2) for each Gobot sample, which makes it difficult to block malicious traffic.
Detected campaigns use poisoned search results for topics related to legal documents and forms. Search results direct victims to compromised sites that disguise themselves as legitimate forums and invite victims to download an archive containing the initial payload.
The archive contains an obfuscated JavaScript file, which extracts another JavaScript file after execution. The file is activated via a scheduled task to achieve persistence. In the second step, JavaScript runs a PowerShell script to collect information about the system and exfiltrate it to a remote server, which in turn responds with a PowerShell script that runs in an infinite loop. This tactic allows hackers to actively distribute various payloads. Gobot sends a signal to its C2 server every 60 seconds to get PowerShell tasks to run and send the results back to the server as HTTP POST requests.
GootBot's capabilities range from scouting to lateral movement, effectively extending the scope of the attack. Detection of the Gootbot variant highlights the efforts that cybercriminals make to avoid detection and work covertly, increasing the chance of successful completion of post-exploitation steps.
The IBM X-Force team discovered a new version of the GootLoader loader, called Gobot. The new version allows you to perform Lateral Movement on compromised systems and evade detection. GootLoader, which uses SEO poisoning tactics, is known for its ability to deliver next-stage malware to the system and is associated with the Hive0127 (UNC2565) grouping.
Gobot is an obfuscated PowerShell script designed to connect to a compromised WordPress site to receive additional commands. The situation is complicated by the use of a unique hard-coded C2 server (Command and Control, C2) for each Gobot sample, which makes it difficult to block malicious traffic.
Detected campaigns use poisoned search results for topics related to legal documents and forms. Search results direct victims to compromised sites that disguise themselves as legitimate forums and invite victims to download an archive containing the initial payload.
The archive contains an obfuscated JavaScript file, which extracts another JavaScript file after execution. The file is activated via a scheduled task to achieve persistence. In the second step, JavaScript runs a PowerShell script to collect information about the system and exfiltrate it to a remote server, which in turn responds with a PowerShell script that runs in an infinite loop. This tactic allows hackers to actively distribute various payloads. Gobot sends a signal to its C2 server every 60 seconds to get PowerShell tasks to run and send the results back to the server as HTTP POST requests.
GootBot's capabilities range from scouting to lateral movement, effectively extending the scope of the attack. Detection of the Gootbot variant highlights the efforts that cybercriminals make to avoid detection and work covertly, increasing the chance of successful completion of post-exploitation steps.