Rewterz Threat Alert – Gootloader Malware – Active IOCs

Severity

High

Analysis Summary

GootLoader – a multi-staged JavaScript malware package, has been seen in the wild since late 2020. It initially gained popularity as a sophisticated multi-staged downloader of GootKit malware. This dropper’s payload delivery has progressed over time, and its payload capabilities have expanded beyond only distributing its namesake malware. Previously, this threat has delivered the information-stealing malware “GootKit,” from which it derives its name.
GootLoader leverage SEO poisoning tactics to prominently promote links to its malware in internet search results, drawing in as many unknowing victims as possible. The group was also seen utilizing overlays to show a fake forum page over blog articles with highly targeted material related to government, finances, legal, healthcare, and education.

Impact

• Information Theft
• Unauthorized Access
• SEO Poisoning

Indicators of Compromise

MD5

d8d9a74061e8715e658aef25f427dfbc
5bc21d484d33450d84b61232441c1340
a55c8fd82d567b517240e8a91217f270

SHA-256

caaaeac39982a61cfcc59fb51fe4a1b7b737a14095ec55def41b6442b7082f71
1064fe5e8d30a0112b06ccf45669873d71838b93a7fdb22e0c4b54c2fca69e4a
94ddaa0dad8f1eb44f95b6185a1fe089e76bae04cf7031fd171faae3f7dce93d

SHA-1

a2c2d7179b87a7000c655e44e45f510b247c8798
d9f0b122451142324fb76a3f490441b0e6b07d9a
2641b06145e9bd533255d1b192d2721f66d5bfdf

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs)  in your environment utilizing your respective security controls
• Never trust or open ” links and attachments received from unknown sources/senders.
• Do not download document ?les attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.