Attacks with the GootLoader malware used to distribute IcedID, REvil, Gootkit, and other payloads have intensified with the appearance of new variants of the loader, which has been associated with the Hive0127 threat operation, also known as UNC2565, reports The Hacker News.
Hacked websites have been compromised with the GootLoader JavaScript payload in the form of legal files, which when executed uses a scheduled task for persistence and triggers another JavaScript for data collection activities, a Cybereason analysis found.
Intrusions were also concealed through the exploitation of source code encoding, payload size inflation, and control flow obfuscation, according to researchers, who also highlighted the integration of GootLoader in Lodash, tui-chart, Maplace.js, jQuery, and other JavaScript library files.
“While some of the particulars of GootLoader payloads have changed over time, infection strategies and overall functionality remain similar to the malware’s resurgence in 2020,” said Cybereason researchers.
This post was originally published on the 3rd party site mentioned in the title of this this site