Threat Overview - GootLoader Malware
The GootLoader malware variant is identified as a downloader, and is used to facilitate the pathway to the next stage(s) of infection. Seen in the wild since late 2020, the variant is known to infect victims systems via SEO (Search Engine Optimization) poisoning - which is a type of malicious advertising technique that threat actors use to put malicious websites near the top of search results. As referenced in the extensive analysis done by researchers at Intel 471, this technique can be used to target specific individuals as well, with the threat actors knowing information about who they are targeting and crafting the results accordingly. GootLoader is known as a delivery mechanism for other second stage malware variants such as Gootkit and tools such as SystemBC and SharpHound. Due to GootLoader’s stealthiness, effectiveness and its exploitation in the wild by a number of ransomware campaigns, it is important that teams assess and prepare for this loader’s capabilities.
Intel 471 Reference: TITAN Malware Campaign Report
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Hunt Packages
Suspicious Scheduled Task Created - Execution Details Contains Scripting Reference
This content is designed to detect when scripting references are found in scheduled tasks. Malware and adversaries use this technique to maintain persistence on a compromised system.
Suspicious Scheduled Task Create/Update - Unusual Task Command and Arguments
Malware often maintains persistence via scheduled tasks. The provided logic identifies the use of rundll32, powershell, cmd or if the command contains common malware locations in AppData\Roaming or AppData\Local\Temp. These two locations are common locations to store malware binaries.
Scheduled Task with Abnormal Location in Details
This hunt package is designed to capture activity associated with a scheduled task which includes abnormal locations in its details for execution. This is often a mark of persistence or malicious tasks created by malware or attackers. details.
WScript Executing File From Zip - Potential Loader Execution
Zip files are often utilized to deliver malicious files, such as JavaScript files. Often sent via email or downloaded via phishing page, these zip files leave traces of execution when the files are not extracted, rather executed straight from the zip file. This package identifies schemas of temporary folder locations utilized by 7zip, Windows Explorer and WinRAR, in which a JavaScript file is executed by the built in Windows script interpreter WScript. JavaScript files are typically utilized to execute the first stage of malicious executions to download and install malware.
