“Hive0127 typically targets online searches for contracts, legal forms or other business-related documents; for example: ‘Is a closing statement the same as a grand contract?’,” researchers from X-Force explain. “Targets are served a compromised website modified to appear as a legitimate forum at the top of the poisoned search engine results page. Within the forum conversation, the targets are then tricked into downloading an archive file related to their initial search terms, but which actually contains Gootloader.”
From Gootloader to GootBot
In past campaigns, this is the stage where attackers deployed Cobalt Strike or other more advanced payloads. However, the X-Force researchers recently observed a new payload in the form of an obfuscated PowerShell script that reaches out to a single C2 server and waits for additional tasks to execute. They named this payload GootBot since it’s a more lightweight variant of Gootloader itself.
“As a response, GootBot expects a string consisting of a Base64-encoded payload, and the last eight characters being the task name,” the researchers said. “It then decodes the payload and injects it into a simple scriptblock before executing it in a new background job using the ‘Start-Job’ Cmdlet. This allows the PowerShell payload to be run asynchronously and without creating a child process, potentially resulting in less EDR detections.”
What makes GootBot different is that it’s not only deployed on the system where Gootloader was first executed, but also to other systems from the same network. The payloads that GootBot receives are PowerShell scripts used for lateral movement that enumerate network systems and the domain and exfiltrate credentials by dumping the memory of the LSASS process, as well as registry hives such as SAM, SYSTEM, and SECURITY.