Gootloader Infection
Gootloader Infection
Red Canary has provided details of malware Gootloader, which is being tracked separately from Gootkit malware. An infection chain is offered by Red Canary as the malware is often reported in the security firm’s monthly intelligence insights and 2021 Threat Detection report, indicating the malware’s popularity amongst cybercriminals. The malware has been distributed most frequently from attackers leveraging compromised WordPress sites to populate common keywords for SEO poisoning tactics. The attack lures victims to download a ZIP file and often uses "agreement” in the zip file’s name. The zip file houses a malicious JavaScript triggering wscript.exe when executed and initiates a system check for Active Directory, launching a query for the USERDNSDOMAIN environment variable. The check reveals the malware’s goal of targeting business or enterprise-level victims. If the check is successful the malware proceeds to the second phase in downloading DLL payloads, and creates persistence in the registry as well as with a scheduled task using PowerShell. Infection wraps up with the execution of PowerShell commands setup for payloads such as a Cobalt Strike Beacon to initiate attacker objectives.