Network Security, Malware, Threat Intelligence

Updated GootLoader malware variants emerge

Privacy concept: pixelated words Malware on digital background, 3d render

Attacks with the GootLoader malware used to distribute IcedID, REvil, Gootkit, and other payloads have intensified with the appearance of new variants of the loader, which has been associated with the Hive0127 threat operation, also known as UNC2565, reports The Hacker News.

Hacked websites have been compromised with the GootLoader JavaScript payload in the form of legal files, which when executed uses a scheduled task for persistence and triggers another JavaScript for data collection activities, a Cybereason analysis found.

Intrusions were also concealed through the exploitation of source code encoding, payload size inflation, and control flow obfuscation, according to researchers, who also highlighted the integration of GootLoader in Lodash, tui-chart, Maplace.js, jQuery, and other JavaScript library files.

"While some of the particulars of GootLoader payloads have changed over time, infection strategies and overall functionality remain similar to the malware's resurgence in 2020," said Cybereason researchers.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

You can skip this ad in 5 seconds