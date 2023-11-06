IBM X-Force discovered a new variant of Gootloader — the “GootBot” implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims’ search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP. This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads.

Previously, Gootloader was only observed as an initial access malware, after which attackers would load tools like CobaltStrike or use RDP to spread within the network. Campaigns leveraging GootBot for lateral movement constitute a significant change in post-infection TTPs, as this custom tool enables threat actors to stay under the radar for a longer period. GootBot is downloaded as a payload after a Gootloader infection and has the capability to receive C2 tasks in the form of encrypted PowerShell scripts, which are run as jobs. Unlike Gootloader, GootBot is a lightweight obfuscated PS script, containing only a single C2 server. GootBot implants, each of which contains a different C2 server running on a hacked WordPress site, spread throughout infected enterprise domains in large numbers in hopes of reaching a domain controller. At the time of writing, GootBot has no detections listed on VirusTotal. This shift in TTPs and tooling heightens the risk of successful post-exploitation stages, such as Gootloader-linked ransomware affiliate activity.