Tuesday, February 25, 2025
HomeComputer SecurityNew Gootloader Malware Abuses RDP to Spread Rapidly

New Gootloader Malware Abuses RDP to Spread Rapidly

Published on

SIEM as a Service

Follow Us on Google News

Hackers target Remote Desktop Protocol (RDP) via malware because it provides them with remote access to a victim’s computer or network, allowing them to:-

  • Steal data
  • Deploy ransomware
  • Conduct other malicious activities

Cybersecurity researchers at IBM X-Force affirmed recently that in place of conventional frameworks like CobaltStrike, the Gootloader group unveiled GootBot, a new tool for C2 and lateral movement.

Gootloader Malware Abuses RDP

GootBot, a stealthy Gootloader variant for lateral movement, complicates detection. The group uses SEO poisoning to target victims, introducing their custom bot to avoid detections while rapidly spreading and deploying payloads.

GootBot is expanding its post-infection capabilities, enabling threat actors to remain hidden for longer by running encrypted PowerShell scripts. Besides this, Gootloader was previously usually utilized for initial access.

GootBot is a lean PS script with a single C2 server that infiltrates enterprise domains via hacked WordPress sites, posing a risk with undetected activity, reads the IBM X-Force report.

Hive0127 (aka UNC2565) has been active since 2014 and deploys Gootloader via SEO poisoning and hacked WordPress sites, enabling ransomware and more.

Gootloader begins with a user downloading an infected archive, leading to obfuscated JavaScript files placed strategically in %APPDATA%.

Gootloader Malware Abuses RDP
Infection chain (Source – SecurityIntelligence)

This virus uses stages that collect data and connect with compromised WordPress-based C2 servers to schedule activities for persistence and allow dynamic PowerShell execution.

Moreover, this new variant is a lightweight PowerShell script with a single C2 server, enabling:-

  • Asynchronous execution
  • Lower EDR detection
Gootloader Malware Abuses RDP
Deobfuscated code running the C2 task (Source – SecurityIntelligence)

GootBot beacons every 60 seconds, adjustable with a specific string. It handles task results for child jobs from the C2, sending ‘E1’ for incomplete jobs and ‘E2’ for missing ones.

A modulo-based approach is used to obscure the string after Base64 encoding, which is similar to the trick used by Gootloader.

GootBot sends POST requests to its C2 server, splitting data if it’s over 100,000 chars. It spreads laterally, using various techniques to infect hosts. 

Its C2 generates diverse payloads and deploys them automatically. WinRM, SMB, and WinAPI are used for lateral movement. 

Environment variables store encrypted strings, reducing script size. GootBot spoofs PowerShell process arguments by creating new processes.

Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

GootBot also runs a reconnaissance script that collects the following data:-

  • Domain user name
  • OS (from registry key)
  • If 64bit architecture (checking for x86 dir and also size of int ptr)
  • Domain controllers
  • Running processes
  • SID
  • Local IP address
  • Hostname

Recommendations

Here below, we have mentioned all the recommendations offered by the security researchers:-

  • Make sure to keep the AV tools updated with the latest available security updates.
  • Enable script block logging.
  • Monitor Windows event logs for security indicators.
  • Watch for JavaScript file execution in downloaded ZIPs.
  • Make sure to keep your eyes on “wscript.exe” launching JavaScript files with short names like (*~1.JS) in scheduled tasks.
  • Monitor HTTP traffic for suspicious requests ending in “xmlrpc.php” URLs.
  • Suspicious cookie value: <BOT_ID>=<If user is admin: 0/1>
  • Suspicious content format: <BOT_ID>=[sX<<random_int>><packet_seq_number>]<data>
  • Always remain vigilant for lateral movement through WinRM, WMI or SCM.
  • Within your environment, make sure to disable or monitor the “Start-Job” Cmdlet.

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Google Issues Warning on Phishing Campaigns Targeting Higher Education Institutions

Google, in collaboration with its Mandiant Threat Intelligence team, has issued a warning about...

TgToxic Android Malware Updated it’s Features to Steal Login Credentials

The TgToxic Android malware, initially discovered in July 2022, has undergone significant updates, enhancing...

Hackers Exploiting Cisco Small Business Routers RCE Vulnerability Deploying Webshell

A critical remote code execution (RCE) vulnerability, CVE-2023-20118, affecting Cisco Small Business Routers, has...

Malicious npm Package Targets Developers for Supply Chain Attack

The Socket Research Team has uncovered a malicious npm package@ton-wallet/create designed to steal sensitive...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Google Issues Warning on Phishing Campaigns Targeting Higher Education Institutions

Google, in collaboration with its Mandiant Threat Intelligence team, has issued a warning about...

TgToxic Android Malware Updated it’s Features to Steal Login Credentials

The TgToxic Android malware, initially discovered in July 2022, has undergone significant updates, enhancing...

Hackers Exploiting Cisco Small Business Routers RCE Vulnerability Deploying Webshell

A critical remote code execution (RCE) vulnerability, CVE-2023-20118, affecting Cisco Small Business Routers, has...