July 5, 2024 at 05:56AM
Cybereason reported that the GootLoader malware, linked to threat actor Hive0127, continues to evolve, with the latest version being GootLoader 3. It is distributed via SEO poisoning and serves as a conduit for delivering various payloads. The attackers have also unleashed their own command-and-control tool, expanding their market for financial gains.
From the meeting notes, it is clear that the malware known as GootLoader, linked to the Gootkit banking trojan and associated with a threat actor named Hive0127, continues to be a significant threat. The attackers are using SEO poisoning tactics to distribute the malware and have also introduced a new command-and-control tool called GootBot. The attack chains involve compromising websites to host the GootLoader JavaScript payload, using various techniques such as source code encoding and embedding the malware in legitimate JavaScript library files to resist analysis and detection. The malware’s frequent updates, changes to evasion and execution functionalities, as well as its use of legitimate file types for obfuscation, make it a sophisticated and persistent threat.