Cybersecurity researchers have identified a GootLoader revival. The overarching creator behind this advanced malware is the threat actor Vanilla Tempest. This malware has evolved to use different tactics to hide their malicious intent, specifically focusing efforts on WordPress sites. The new attack sequences dramatically improve its stealth. They provide it with the ability to perform more pernicious activities such as remote access and data exfiltration.
GootLoader is perhaps best known for its power to exploit hacked WordPress sites, serving up malware-filled ZIP files to unaware users. The threat actor Storm-0494 is a key participant in this ecosystem, enabling hand-offs from initial infections. These changes have triggered warning bells across the cybersecurity community, leading to a heightened state of awareness and preparedness against this new and dangerous threat.
New Techniques in Malware Delivery
Additionally, GootLoader has an interesting new technique to hide its malicious payloads. The malware is concealed in ZIP files that look harmless at first sight. When opened with certain tools, these files decompress as otherwise benign .TXT files. The embedded JavaScript payload instead deploys an embedded backdoor named Supper, giving the attackers remote control capabilities and SOCKS5 proxying.
“For instance, this human element makes the GootLoader threat so crafty and dangerous,” noted cybersecurity specialist Anna Pham. She stated, “GootLoader is back and now leveraging custom WOFF2 fonts with glyph substitution to obfuscate filenames.” This process guarantees that if users try to view the source code or copy file names, they are met with unreadable symbols.
“However, when rendered in the victim’s browser, these same characters magically transform into perfectly readable text like Florida_HOA_Committee_Meeting_Guide.pdf.” – Anna Pham
This evasion technique doesn’t just hide the real identity of the malware, but further obfuscates automated analysis workflows. As noted by Huntress, a cybersecurity company tracking GootLoader’s activity, “This ‘good enough’ approach proves that threat actors don’t need cutting-edge exploits when properly obfuscated bread-and-butter tools achieve their objectives.”
Targeted Search Strategies and Rapid Intrusions
GootLoader’s attackers use targeted search queries to attract victims. Queries such as “missouri cover utility easement roadway” on Bing have worked in the past. This method draws in folks who need the legal templates. This targeted approach lets GootLoader take advantage of more specific user needs, making the infections more likely to succeed.
Once installed, GootLoader can lead to devastating breaches in just a few hours. According to these reports, hands-on keyboard intrusions have resulted in domain controllers being compromised. This can occur in as little as 17 hours after first infection. This quick-moving timeline only underscores the need for all organizations to strengthen their overall security posture to protect against these threats.
“The Supper SOCKS5 backdoor uses tedious obfuscation protecting simple functionality – API hammering, runtime shellcode construction, and custom encryption add analysis headaches, but the core capabilities remain deliberately basic: SOCKS proxying and remote shell access.” – Huntress
As GootLoader becomes more sophisticated, its ties to other, notable malware like Emotet only cloud the landscape further. As such, it has been consolidated under Interlock RAT (alternatively referred to as NodeSnake), a malware mainly associated with Interlock ransomware.
The Role of Cybersecurity Companies
Huntress has played a leading role in tracking GootLoader’s recent activity. Additionally, their findings showcase the malware’s smart methods of evading detection. The campaign abuses WordPress comment endpoints to serve ZIP payloads that are XOR-encrypted with keys unique to each file. This careful approach only serves to make the malware that much more effective at evading detection.
Pham remarked on the effectiveness of GootLoader’s tactics: “This simple evasion technique buys the actor time by hiding the true nature of the payload from automated analysis.” As GootLoader’s tactics continue to grow in sophistication, cybersecurity professionals have to stay one step ahead and be proactive in defending their systems.