GootLoader Malware Analysis, Overview by ANY.RUN

What is GootLoader malware?

GootLoader is a loader malware initially designed to distribute the GootKit banking trojan. Operated by the UNC2565 threat group, today it functions as initial-access-as-a-service software, catering to cybercriminals who aim to deploy their malware, like Cobalt Strike, on already infected machines. While GootKit has been in circulation since 2014, GootLoader was introduced more recently in 2021. Campaigns involving GootLoader target users visiting hijacked WordPress websites and online forums. Attackers inject malicious code into these pages, deceiving visitors into downloading fake legal documents, which, in reality, turn out to be malicious files designed to infect their systems of GootLoader.

GootLoader analysis inside ANY.RUN Sandbox GootLoader analysis inside the ANY.RUN sandbox

To observe the entire GootLoader infection process, use ANY.RUN’s Interactive Sandbox that provides a safe virtual environment for hands-on analysis of cyber threats.

Check out this sandbox session showing the detonation of a GootLoader sample.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

GootLoader malware technical details

GootLoader employs a multi-stage execution process, characterized by several advanced capabilities:

Memory-only execution: The second stage of GootLoader deploys entirely in memory without writing to disk, making it difficult for traditional antivirus solutions to detect.
Encryption and obfuscation: The malware utilizes encryption and obfuscation techniques to conceal its activities and avoid detection by security tools.
External payload fetching: The second-stage payload is typically fetched from an external URL hardcoded in the malware, ensuring that the malicious code is not stored locally on the infected machine. See how you can easily extract hardcoded data with the ANY.RUN sandbox.
Evasion techniques: GootLoader performs evasion by sleeping, which helps it avoid detection by delaying its activities and blending in with legitimate processes.
Persistence mechanisms: To ensure it remains active on the infected system, GootLoader modifies the registry and adds an autorun entry, allowing it to execute automatically on system startup.
Process injection: The malware uses process injection to hijack legitimate Windows utilities with malicious code, further complicating detection and analysis.
Malware deployment: GootLoader is capable of dropping various types of malware, including GootKit and Cobalt Strike, expanding its potential for damage and data exfiltration.
Lateral movement: The latest versions of GootLoader are equipped with the ability to move laterally within a network, spreading the infection to other connected devices.

GootLoader execution process

GootLoader's infection process involves several steps. It usually starts when someone visits a compromised website and downloads a malicious archive, often disguised as a legitimate document like a template or contract. This archive typically contains a JavaScript file.

GootLoader graph inside ANY.RUN Sandbox GootLoader process graph inside the ANY.RUN sandbox

When the file is opened, the first stage of infection begins. It uses Windows Script Host (wscript) to run an obfuscated JavaScript payload. This payload creates a scheduled task to ensure the infection persists, leading to the execution of a second obfuscated JavaScript file stored on the disk.

GootLoader process inside ANY.RUN Sandbox GootLoader script execution inside the ANY.RUN sandbox

In the second stage, the execution shifts from wscript to cscript, which runs as a child process. This allows a PowerShell script to run, further deobfuscating and executing more malicious code. The PowerShell script collects information from the infected system, such as operating system details, running processes, and environment variables. It can also check the system's location and use sleep commands. The collected information is then compressed, encoded, and sent to a command-and-control (C2) server.

GootLoader Suricata inside ANY.RUN Sandbox Suricata IDS detection of GootLoader inside the ANY.RUN sandbox

The third stage involves executing additional payloads, which might include components like a Cobalt Strike beacon or other malware. These payloads are often written into Windows Registry keys to ensure they persist and remain active even after the system is rebooted. GootLoader's use of obfuscation techniques makes it hard for traditional security methods to detect. Its sophisticated infection process highlights its effectiveness as a persistent threat to enterprise environments.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

Collect Cyber Threat Intelligence on GootLoader

To stay informed about the latest GootLoader samples and attacks, use Threat Intelligence Lookup from ANY.RUN. This tool lets you access a large database filled with findings from millions of malware analyses done in the ANY.RUN sandbox.

With over 40 search options, including IPs, domains, file names, and process details, you can easily find relevant information about threats like GootLoader.

GootLoader search in TI Lookup GootLoader search results in TI Lookup

You can search directly by the threat name or use related clues like hash values or network connections. By entering a query like threatName:"GootLoader" AND domain:"", you'll get a list of files, events, domain names, and other data from GootLoader samples. These results, along with sandbox sessions, help you understand the malware's behavior in detail.

Integrate ANY.RUN’s threat intelligence solutions in your company

GootLoader malware distribution methods

GootLoader uses SEO poisoning to rank attacker-controlled websites high in search results, ensuring that potential victims are more likely to encounter these malicious sites.

Once victims visit these websites, they are prompted to download files such as contract templates and other legal documents that appear legitimate and relevant to them.

These files are usually archives containing .js scripts that serve as the first stage of the GootLoader infection. By disguising malicious files as legitimate documents, the attackers increase the likelihood of successful infection.

Conclusion

GootLoader’s ability to evade detection through memory-only execution, encryption, and process injection makes it a serious threat for traditional security measures. The use of SEO poisoning to distribute the malware further complicates efforts to prevent its spread, as it targets unsuspecting users searching for legitimate information.

To proactively identify and mitigate the risks associated with GootLoader, organizations can use tools such as the interactive malware sandbox from ANY.RUN. This sandbox provides a controlled environment for analyzing suspicious files, allowing security teams to detect and understand the behavior of GootLoader and other malicious software.