Increase in GootLoader Malware

THE THREAT

eSentire has identified an increase in the GootLoader malware impacting organizations in the Legal services industry. GootLoader is an initial access malware that leads to the Gootkit Remote Access Trojan (RAT). It is delivered through drive-by social engineering attacks. This malware has been observed as a precursor to other threats including the Cobalt Strike red-team tool and the REvil ransomware.

Organizations are strongly encouraged to review the recommendations section of this advisory and ensure employees are aware of best security practices when searching for online documents.

What we’re doing about it

• eSentire MDR for Network has rules in place to identify GootLoader
• eSentire MDR for Network and Endpoint have rules in place to identify GootKit
• eSentire is conducting global threat hunts for Indicators of Compromise (IoCs) associated with GootLoader
• Known attacker infrastructure has been blocked via eSentire’s global deny list
• The eSentire Threat Intelligence team is actively tracking this threat for additional details and detection opportunities

What you should do about it

• Educate employees regarding the risk of GootLoader and more broadly the Security Risks involved with using Search Engines to discover free document templates
  • Make sure you trust document sources. Even legitimate Word and Excel documents from the Internet can lead to malware
  • Ensure your downloaded content is what you intended. If you download a document from the Internet but you are served a JavaScript file, do not open it. Escalate it to your internal IT security team
• Ensure standard procedures are in place for employees to submit potentially malicious content for review
• Use Windows Attack Surface Reduction rules to block JavaScript and VBScript form launching downloaded content
• Employ an Endpoint Detection and Response (EDR) product

Additional information

The threat actors behind this campaign employ Search Engine Optimization (SEO) poisoning in order to direct users searching for specific document templates to a malicious version (see Figure 1). Downloading and opening the malicious file leads to the deployment of GootLoader. Recently observed malicious templates focus on “agreements” as a key term, but other keywords are likely in use. The full infection chain can be found below.

Typical Infection Process:

1. User performs a web search for a document or document template
2. User clicks on search result leading to GootLoader landing page
3. Landing page presents a fake web forum and link to the requested document
4. User clicks on the presented link, receives a Zip archive
5. User opens the archive, finds a JavaScript file (.js extension) disguised as the requested document
6. User executes the JavaScript file by double-clicking it
7. Windows executes the JavaScript file using the Windows script host process, resulting in execution of the GootLoader malware

Quickly identifying and remediating GootLoader infections is critical in preventing follow on attacks and the deployment of more damaging malware such as ransomware. Additional details on GootLoader tactics can be found in the eSentire report “GootLoader Hackers Poison Websites Globally in Order to Infect Business Professionals with Ransomware, Intrusion Tools and Bank Trojans”.

Figure 1: GootLoader Infection Process – Search Engine results leading to GootLoader distribution page and corresponding Zip archive leading to malicious Java Script.

References:

[1] https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide#block-javascript-or-vbscript-from-launching-downloaded-executable-content
[2] https://www.esentire.com/security-advisories/gootloader-hackers-poison-websites-globally