Gootloader malware back for the attack, serves up ransomware
Gootloader malware has resurfaced after a period of dormancy, now delivering ransomware in partnership with the Vanilla Tempest group (aka Rhysida). Huntress Labs has identified three recent Gootloader infections since October 27, with two leading to rapid domain controller compromise within 17 hours of initial access.
The malware operation involves a criminal partnership where Storm-0494 manages Gootloader operations and initial access before handing off compromised environments to Vanilla Tempest for post-exploitation and ransomware deployment.
Gootloader, active since at least 2014, acts as both a malware dropper and an infostealer. This resurgence includes updated techniques like custom WOFF2 fonts with glyph substitution to obfuscate filenames, combined with familiar SEO poisoning tactics. In one case, a user searching for specific terms on Bing was directed to a compromised site, leading to the download of a ZIP archive containing malicious JavaScript.
This JavaScript abuses WordPress’s comment submission endpoint to hide encrypted payloads. Once executed, the JavaScript leads to the deployment of additional payloads, including ransomware.
The malware uses a custom web font embedded in the JavaScript code to obfuscate filenames, displaying them as gibberish in the source code but rendering them correctly in the browser. Within 10 to 20 minutes of initial JavaScript execution, Gootloader establishes persistence and deploys the Supper SOCKS5 backdoor for remote access.
Huntress observed four instances of the Supper backdoor in one infection. Vanilla Tempest’s signature Supper backdoor and a specific obfuscator named TextShell were also identified, linking these infections to the ransomware group.
The attackers perform reconnaissance and then use Windows Remote Management to move laterally to the Domain Controller, creating a new user with admin-level access. They then use Impacket to remotely execute commands, identifying backup snapshots before likely deleting them and deploying ransomware.
The speed of the attack chain makes Gootloader particularly dangerous, leaving a narrow window for detection and response before domain controller compromise and ransomware deployment preparation occur.
Huntress has released indicators of compromise, Yara rules, and Supper backdoor detections to aid defenders in identifying Gootloader and Vanilla Tempest activity on their networks. Security teams should prioritize monitoring for unusual web traffic, suspicious JavaScript execution, and lateral movement activities, with a focus on rapidly detecting and responding to potential intrusions.