New GOOTLOADER Malware Uses Fileless Technique to Deploy Ransomware

The group behind the Windows Gootloader malware, known as UNC2565, has effectively modified the code to make it more intrusive and difficult to detect.

Researchers at Mandiant noted UNC2565 started making significant adjustments to its operational tactics, methods, and procedures (TTPs) in 2022. 

The distribution of additional follow-on payloads, the usage of various FONELAUNCH launcher variants, and changes to the GOOTLOADER downloader and infection chain, including the addition of GOOTLOADER. POWERSHELL, are among these enhancements.

Fileless Technique to Deploy Ransomware

Infections with GOOTLOADER start when a user searches online for business-related documents like templates, contracts, or agreements. 

A malicious package containing the JavaScript file known as GOOTLOADER is downloaded by the victim once they are enticed to visit a compromised website.

In this case, if the GOOTLOADER file is successfully executed, further payloads, such as FONELAUNCH and Cobalt Strike BEACON or SNOWCONE, will be downloaded and stored in the registry. In the subsequent stages, PowerShell is used to execute these payloads.

Researchers explain that there will be documents on the website that are actually dangerous ZIP archives containing JavaScript-based malware. 

More payloads like Cobalt Strike, FONELAUNCH, and SNOWCONE are uploaded after the file is opened and the malware is activated, along with another group of downloaders containing payloads like the well-known IcedID banking trojan.

Mandiant researchers initially noticed the Gootloader a few months ago, where each request made by the PowerShell variant’s infection chain, which includes a second JavaScript file written to the system’s disc and 10 hard-coded URLs, contains encoded information about the compromised system, including the Windows versions it is running, processes that are active, and filenames.

Since May 2021, Gootloader has utilized three different FONELAUNCH variants: FONELAUNCH.FAX, FONELAUNCH.PHONE, and FONELAUNCH.DIALTONE.

“The evolution of FONELAUNCH variants over time has allowed UNC2565 to distribute and execute a wider variety of payloads, including DLLs, .NET binaries, and PE files”, according to Mandiant researchers.

Around October 2021, Managed Defense observed GOOTLOADER embedded within trojanized jQuery libraries instead of being on its own, likely in an attempt to evade detection and hinder analysis.

Researchers discovered new samples in August 2022 with slight adjustments to the obfuscation code. The obfuscated string variables in these new samples were spread across the file rather than being contained on a single line.

A new obfuscation variation with a modified infection that is more complicated than the prior versions was noticed by researchers in November 2022.

“This new variant contains additional string variables that are used in a second deobfuscation stage. This new variant has been observed trojanizing several legitimate JavaScript libraries, including jQuery, Chroma.js, and Underscore.js”, researchers.

The successful execution of GOOTLOADER will result in the download of two additional payloads, FONELAUNCH and an in-memory dropper that typically delivers BEACON, to the registry paths.

These malware samples that are placed in the Windows registry as registry residents are designed to hide and avoid detection. These payloads are then launched in memory by GOOTLOADER.

Hence, these threats to particular industries, geographic regions, and job sectors are expanding. It is discovered that the current operation has also clearly sharpened its targeting capability by including the hospital, health, and medical, as well as names of Australian cities, in addition to the continued targeting of the legal sector with the keyword “agreement” in the SEO poisoning effort.

Network Security Checklist – Download Free E-Book