The operators of the GOOTLOADER malware, tracked as UNC2565, are actively updating their toolset. The recent updates include changes in the infection chain, distribution of new payloads after infection, improved stealth capabilities, and onboarding of new components.
New infection chain
According to Mandiant researchers, a new variant of this malware was identified in November last year, using a new infection chain, tracked as GOOTLOADER.POWERSHELL. This variant follows a typical attack chain.
When any user visits a website compromised by UNC2565, a malicious ZIP file is downloaded on the device, containing a .JS file.
When this JavaScript file is launched, it creates an inflated file with .LOG extension, with loads of junk code for obfuscation purposes. This is eventually renamed with a .JS extension.
The dropper creates a scheduled task to execute the JS file immediately and further ensures that the file persists even after shutdown.
A PowerShell process is created, which collects device information such as OS version, filenames, and process details, and sends them to the C2 server in a GZip compressed file.
Upon receiving all the information, the C2 responds with a payload that further infects the device with further payloads, including FONELAUNCH and an in-memory dropper that typically delivers Cobalt Strike beacon. At later stages, these are executed via PowerShell.
New layers of obfuscation
The obfuscation tactics used in the latest malware variant are more complex than the previous variants, as the malicious code is nested throughout the file.
The malware comprises additional string variables, that are used in the second stage of deobfuscation.
It trojanizes several legitimate JavaScript libraries, including jQuery, Underscore.js, and Chroma.js.
Words of caution
GOOTLOADER operators are continuously making enhancements to this malware, indicating that they are planning to actively use it for further attacks. Furthermore, the increasingly sophisticated obfuscation tactics are expected to make it a more challenging threat for security professionals. Thus, organizations are suggested to implement enterprise-grade security controls, including engaging themselves with a real-time threat intelligence exchange platform. Further, provide ample training and awareness to their employees when dealing with JavaScript files and other files inside archives downloaded from the internet.