GootLoader Malware: A Sophisticated Threat Vector Employing ZIP Archive Concatenation to Evade Detection
A new type of malware has emerged that uses a novel technique to evade detection, leveraging the concatenation of 500–1,000 ZIP archives to sidestep security controls. The GootLoader malware has been detected in the wild and continues to evolve with new tricks, including custom font obfuscation and exploitation of WordPress endpoints.
To counter this threat, organizations must stay vigilant and implement robust security measures, such as blocking suspicious executables and ensuring JavaScript files are opened in Notepad by default.
Read more about GootLoader and how it can be used to evade detection:
GootLoader uses an anti-analysis technique by concatenating 500-1,000 ZIP archives to evade detection.
The malware creates a malformed archive that can't be processed by automated workflows but can be opened by Windows default unarchiver.
Victims can extract and run the JavaScript malware without being detected due to the evasive techniques used.
GootLoader is distributed via SEO poisoning tactics or malvertising, targeting users looking for legal templates.
The malware has evolved with new tricks, including glyph substitution and exploiting WordPress comment endpoint.
It uses "hashbusting" to evade detection by inserting random values into ZIP archives.
The attack chain involves XOR-encoded blobs, repeated appending, and PowerShell commands for persistence and execution.
GootLoader, a JavaScript malware loader, has been observed utilizing an intricate anti-analysis technique that leverages the concatenation of 500–1,000 ZIP archives to evade detection efforts. This novel approach allows the malware to sidestep security controls and bypass the ability of automated workflows to analyze the contents of the file.
According to a report shared with The Hacker News, Expel security researcher Aaron Walton explained that "The actor creates a malformed archive as an anti-analysis technique." This method involves creating a ZIP archive that is intentionally malformed, making it difficult for unarchiving tools like WinRAR or 7-Zip to extract its contents. However, the default Windows unarchiver can successfully open and process the archive.
This leads to a scenario where the archive cannot be processed by automated workflows, thereby preventing many security controls from detecting the malware. At the same time, it allows victims who fall victim to social engineering schemes to extract and run the JavaScript malware without being detected.
GootLoader is typically distributed via search engine optimization (SEO) poisoning tactics or malvertising, targeting users looking for legal templates to take them to compromised WordPress sites hosting malicious ZIP archives. The malware has been detected in the wild since at least 2020 and has continued to evolve with new tricks, including leveraging custom WOFF2 fonts with glyph substitution to obfuscate filenames and exploiting the WordPress comment endpoint to deliver ZIP payloads when a user clicks on a "Download" button.
The latest findings from Expel highlight the continued evolution of delivery methods employed by threat actors, with the GootLoader malware employing more sophisticated obfuscation mechanisms to evade detection. These mechanisms include concatenating multiple archives together to create a single, large archive that is difficult for security controls to detect. The malware also truncates the end of central directory (EOCD) records in the ZIP archive, causing parsing errors and preventing automated workflows from extracting its contents.
Furthermore, GootLoader uses "hashbusting," a defense-evasion technique where random values are inserted into non-critical fields, such as disk number and Number of Disks. This causes unarchiving tools to expect a sequence of ZIP archives that do not exist, thereby avoiding detection.
The attack chain for GootLoader involves the delivery of a ZIP archive as an XOR-encoded blob, which is decoded and repeatedly appended to itself on the client-side until it meets a set size. When the downloaded ZIP archive is double-clicked by the victim, Windows' default unarchiver opens the ZIP folder containing the JavaScript payload in File Explorer.
Launching the JavaScript file triggers its execution via "wscript.exe" from a temporary folder, since the file contents were not explicitly extracted. The JavaScript malware then creates a Windows shortcut (LNK) file in the Startup folder to establish persistence and ultimately executes a second JavaScript file using cscript, spawning PowerShell commands to take the infection to the next stage.
In previous GootLoader attacks, the PowerShell script is used to collect system information and receive commands from a remote server. To counter the threat posed by GootLoader, organizations are advised to consider blocking "wscript.exe" and "cscript.exe" from executing downloaded content if not required and use a Group Policy Object (GPO) to ensure that JavaScript files are opened in Notepad by default, instead of executing them via "wscript.exe."
Overall, the GootLoader malware represents a sophisticated threat vector that leverages ZIP archive concatenation to evade detection. Its evolution highlights the importance of staying vigilant against emerging threats and implementing robust security controls to detect and mitigate such attacks.
