A JavaScript malware loader, GootLoader, has emerged as a predominant terror actor within the cyber panorama. As such, it has thus far been active since its initial detection in the wild in 2020. This threat uses a particularly advanced technique, creating malformed ZIP archives that bypass detection with at least some security technology. GootLoader stitches together between 500 and 1,000 separate ZIP archives. This smart strategy allows it to produce an archive meant to avoid automated pipelines. The end of the EOCD record is truncated. This truncation results in some parsing errors and prevents many unarchiving tools from being able to successfully extract the malware.
As noted by leading experts, shortening the EOCD truncates two important bytes. This disproportionate loss poses tremendous insecurity hurdles. This complicated process becomes a step further improved by randomizing non-essential fields within the ZIP file and signature. By changing parameters such as the disk number and total number of disks, unarchiving tools start looking for missing sequences of ZIP files. Consequently, unsuspecting users fall victim to many of these payloads without even downloading what they think they are downloading.
Technical Mechanisms of GootLoader
GootLoader uses several complex technical mechanisms that serve to obfuscate criminal activity while developing its evasion potential. The malware spreads by targeting the WordPress comment endpoint (” /wp-comments-post.php ”). It serves malicious ZIP payloads when users click the “Download” button on certain online installers. By placing content and advertising strategically, you maximize the chance for users to engage, making these delivery methods trade more effective.
In addition, the use of custom WOFF2 fonts that utilize glyph substitution provides an extra obfuscation layer. This trick lets GootLoader mask file names, making GootLoader more difficult to detect. Aaron Walton, a cybersecurity expert, explains that “the actor creates a malformed archive as an anti-analysis technique.” This approach highlights the depths that cybercriminals are willing to go to in order to hide their actions.
Moreover, Walton notes that “many unarchiving tools are not able to consistently extract it, but one critical unarchiving tool seems to work consistently and reliably: the default tool built into Windows systems.” This dependence on the included Windows unarchiver allows GootLoader to maximize its effectiveness in user environments.
Evolving Delivery Methods
The methods of delivery GootLoader uses have changed drastically over the years. To combat detection, the bad guys are consistently adding more complex obfuscation techniques with the goal of defeating detection methods. One of the favorite techniques used is called “hashbusting.” Walton goes on to explain that “hashbusting” is a defense-evasion tactic. The process includes generating a random amount of files to concatenate and randomizing values for certain fields.
This approach means that any user downloading a ZIP file via GootLoader’s infrastructure will get a different file. Due to this, any honest effort to try to find the hash of these ZIP files in other environments becomes impossible. One GootLoader developer admitted to using hashbusting for the ZIP archive. Unlike the other examples in this post, this technique works on the JScript file that’s packed inside the archive. This practice works to further hide the malware’s presence and confuse efforts to identify it and reduce its impact.
Implications for Cybersecurity
The implications of GootLoader’s sophisticated techniques are profound for cybersecurity professionals and end-users alike. As malware becomes more sophisticated and stealthy, the era of relying solely on detection is quickly becoming untenable. It can’t be overstated that organizations need to stay one step ahead and adjust their security strategy to outsmart these future threats.
Additionally, downloaders must realize the risks of downloading files from unknown or untrusted sources. Education about safe browsing practices and caution is the best first step to avoid unintentionally downloading this kind of dangerous payload.