The Gootloader Group, previously known only as an initial access broker (IAB) and malware operator, has unleashed a destructive new post-compromise tool, GootBot, which spreads bots throughout enterprise environments following a compromise.
Gootloader (also tracked under Hive0127 and UNC2565) has been active since 2014 and uses SEO poisoning to fool victims into downloading infected business document templates — contracts and forms — for initial compromise, researchers at IBM X-Force threat intelligence group said in a new advisory.
Typically, Gootloader would then broker that access off to other threat groups who would use tools like CobaltStrike or Remote Desktop Protocl (RDP) to spread throughout the network, the researchers explained. But a new tool the group has begun deploying is the much more destructive GootBot post-compromise malware, which, after Gootloader’s initial compromise, deploys a very difficult to detect bot army.
The IBM X-Force group explained, alarmingly, each bot is controlled by its own command-and-control server (C2) running on a breached WordPress site. Once deployed, the bots begin searching out a domain controller.
Worse yet, GootBot, as of Nov. 6, has no detections listed on VirusTotal, the researchers added.
“This shift in TTPs and tooling heightens the risk of successful post-exploitation stages, such as Gootloader-linked ransomware affiliate activity,” the report warned.
- SEO Powered Content & PR Distribution. Get Amplified Today.
- PlatoData.Network Vertical Generative Ai. Empower Yourself. Access Here.
- PlatoAiStream. Web3 Intelligence. Knowledge Amplified. Access Here.
- PlatoESG. Carbon, CleanTech, Energy, Environment, Solar, Waste Management. Access Here.
- PlatoHealth. Biotech and Clinical Trials Intelligence. Access Here.
- Source: https://www.darkreading.com/attacks-breaches/gootloader-malicious-custom-bot-army-enterprise-networks
- :has
- :is
- $UP
- 10
- 2014
- 46
- 50
- a
- access
- active
- activity
- added
- advisory
- Affiliate
- After
- aims
- also
- an
- and
- Army
- AS
- At
- been
- begin
- begun
- Bot
- bots
- breach
- broker
- business
- but
- by
- compromise
- contracts
- controlled
- controller
- custom
- Cybersecurity
- daily
- data
- data breach
- delivered
- deployed
- deploying
- deploys
- desktop
- detect
- difficult
- document
- domain
- each
- emerging
- Enterprise
- environments
- Ether (ETH)
- explained
- following
- For
- forms
- Group
- Group’s
- HTTPS
- IBM
- in
- information
- initial
- Intelligence
- into
- ITS
- jpg
- known
- latest
- like
- Listed
- malware
- more
- MPL
- much
- network
- networks
- New
- no
- nov
- of
- off
- on
- once
- only
- operator
- or
- Other
- out
- own
- plato
- Plato Data Intelligence
- PlatoData
- previously
- ransomware
- remote
- report
- researchers
- right
- Risk
- running
- s
- Said
- searching
- server
- shift
- since
- site
- spread
- Spreads
- stages
- subscribe
- successful
- such
- templates
- that
- The
- then
- threat
- threat intelligence
- threats
- throughout
- to
- tool
- tools
- Trends
- under
- unleashed
- use
- uses
- very
- victims
- Vulnerabilities
- weekly
- which
- WHO
- with
- WordPress
- would
- yet
- Your
- zephyrnet