Hackers target Remote Desktop Protocol (RDP) via malware because it provides them with remote access to a victim’s computer or network, allowing them to:-
Cybersecurity researchers at IBM X-Force affirmed recently that in place of conventional frameworks like CobaltStrike, the Gootloader group unveiled GootBot, a new tool for C2 and lateral movement.
GootBot, a stealthy Gootloader variant for lateral movement, complicates detection. The group uses SEO poisoning to target victims, introducing their custom bot to avoid detections while rapidly spreading and deploying payloads.
GootBot is expanding its post-infection capabilities, enabling threat actors to remain hidden for longer by running encrypted PowerShell scripts. Besides this, Gootloader was previously usually utilized for initial access.
GootBot is a lean PS script with a single C2 server that infiltrates enterprise domains via hacked WordPress sites, posing a risk with undetected activity, reads the IBM X-Force report.
Hive0127 (aka UNC2565) has been active since 2014 and deploys Gootloader via SEO poisoning and hacked WordPress sites, enabling ransomware and more.
Gootloader begins with a user downloading an infected archive, leading to obfuscated JavaScript files placed strategically in %APPDATA%.
This virus uses stages that collect data and connect with compromised WordPress-based C2 servers to schedule activities for persistence and allow dynamic PowerShell execution.
Moreover, this new variant is a lightweight PowerShell script with a single C2 server, enabling:-
GootBot beacons every 60 seconds, adjustable with a specific string. It handles task results for child jobs from the C2, sending ‘E1’ for incomplete jobs and ‘E2’ for missing ones.
A modulo-based approach is used to obscure the string after Base64 encoding, which is similar to the trick used by Gootloader.
GootBot sends POST requests to its C2 server, splitting data if it’s over 100,000 chars. It spreads laterally, using various techniques to infect hosts.
Its C2 generates diverse payloads and deploys them automatically. WinRM, SMB, and WinAPI are used for lateral movement.
Environment variables store encrypted strings, reducing script size. GootBot spoofs PowerShell process arguments by creating new processes.
StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.
GootBot also runs a reconnaissance script that collects the following data:-
Here below, we have mentioned all the recommendations offered by the security researchers:-
Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.
Best DNS Management Tools play a crucial role in efficiently managing domain names and their…
Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS environments…
Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling them…
SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases from…
In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting abuse…
The Metasploit Framework, a widely used open-source penetration testing tool maintained by Rapid7, has introduced…