Gootloader Payload Distribution Report

Active since 2018, GootLoader is a malware downloader that can deliver secondary payloads such as Cobalt Strike, REvil ransomware, Gootkit, BlueCrab and the Kronos trojan. The malware’s primary method of distribution is conducted via search engine optimisation (SEO) poisoning techniques, including the use of sponsored search engine links. Accessing one of these links will direct victims to legitimate but compromised WordPress sites that host the malware contained within a .ZIP file.

Recent targeting trends show that the malware has been observed in attacks against law firms in the US, Canada, the UK, and Australia. This suggests that the malware is more likely to be incorporated with sponsored search engine adverts mimicking sites of interest for those operating within the law industry such as search results for legal documents and agreements.

Historic reporting indicates that Gootloader was primarily used to deploy ransomware, however, recent examples of the malware’s use has not involved the deployment of ransomware, suggesting a potential shift in operations and motivation by threat actors towards cyber espionage activities.

Gootloader Methodology

Impact

Successful exploitation by Gootloader will almost certainly result in loss of network integrity and enable further access to exploiting threat actors. Once infected with Gootloader, a threat actor will highly likely deploy additional malware payloads depending on their intentions and requirements. Common deployments include Gootkit, Cobalt Strike and various ransomware variations. The application of additional malware will likely result in loss of sensitive data for exploitation and loss of company reputation.