Skip links

Gootloader malware updated with PowerShell, sneaky JavaScript

The operators behind Gootloader, a crew dubbed UNC2565, have upgraded the code in cunning ways to make it more intrusive and harder to find.

Researchers with Google-owned security shop Mandiant started seeing significant changes to the Gootloader malware package – also known as Gootkit – in November 2022, including using multiple variations of FONELAUNCH, a .NET-based loader, as well as some newly developed payloads and obfuscation techniques. There are also changes in its infection chain, including a new variant called Gootloader.PowerShell.

“These changes are illustrative of UNC2565’s active development and growth in capabilities,” the researchers wrote in a report, adding that the group is the only one known to use the malware.

A Gootloader infection starts via a search engine optimization (SEO) poisoning attack, with a victim who is searching online for business-related documents, such as templates, agreements, or contracts, being lured into going to a website compromised by the criminal gang.

On the site are documents that actually are malicious ZIP archives housing malware written in JavaScript. Once the file is opened and the malware activated, more payloads like Cobalt Strike, FONELAUNCH, and SNOWCONE are added, as well as another collection of downloaders with payloads including the high-profile IcedID banking trojan.

Three months ago, Mandiant researchers began seeing the Gootloader.PowerShell variant, which includes an infection chain that that writes a second JavaScript file to the system’s disk that reaches out to 10 hard-coded URLs, with each request containing encoded data about the compromised system, such the versions of Windows it’s using, processes running and filenames.

This one isn’t stopping

Gootloader in the months since May 2021 has used three variants of FONELAUNCH – FONELAUNCH.FAX, FONELAUNCH.PHONE, and FONELAUNCH.DIALTONE.

“The evolution of FONELAUNCH variants over time has allowed UNC2565 to distribute and execute a wider variety of payloads, including DLLs, .NET binaries, and PE files,” the Mandiant researchers wrote.

UNC2565 also has upped efforts to make Gootloader more difficult to detect and track, expanding the number of obfuscation variants to three, another indication of the ongoing evolution of the cyberthreat. The first appeared in May 2021 as a small JavaScript file with a single obfuscated block of code.

A second one appeared in October 2021 inside trojanized jQuery libraries rather than hanging out on its own, a likely attempt to evade detection and slow any analysis of the malware, the researchers wrote. It hides itself among more than 10,000 lines of code, according to Mandiant.

New samples of Gootloader with slight variations in the obfuscation code appeared in August 2022, extending the obfuscated string variables throughout the file – previous variants have them all on the same line – and inside a trojanized jit.js JavaScript file rather than jQuery. >The third obfuscation variant – seen in Gootloader.PowerShell – is a modified and more complex infection.

“This new variant contains additional string variables that are used in a second deobfuscation stage,” the researchers wrote. “This new variant has been observed trojanizing several legitimate JavaScript libraries, including jQuery, Chroma.js, and Underscore.js.”

Mandiant’s report follows up one released earlier this month by Trend Micro, which said that Gootloader was being used in a series of attacks on organizations in Australia’s healthcare industry. Those analysts found that the threat group was continuing with the SEO poisoning technique for initial access but then abusing VLC Media Player and other legitimate tools to continue the infection.

“The threats targeting specific job sectors, industries, and geographic areas are becoming more aggressive,” the Trend team wrote. “In addition to the continued targeting of the legal sector with the [keyword] ‘agreement’ [in the SEO poisoning effort], we also found that the current operation has also clearly sharpened its targeting capability by including the words ‘hospital’, ‘health’, ‘medical’, and names of Australian cities.” ®