Latest: Gootloader Now Uses 1,000-part Zip Archives For Stealthy Delivery

The Gootloader malware, typically used for initial access, is now using a malformed ZIP archive designed to evade detection by concatenating up to 1,000 archives.

In doing so, the malware, which is an archived JScript file, causes many tools to crash when trying to analyze it.

According to researchers, the malicious file is successfully unpacked using the default utility in Windows, but tools relying on 7-Zip and WinRAR fail.

To achieve this, the threat actor behind the malware concatenates between 500 and 1,000 ZIP archives, but also uses other tricks to make parsing from analysis tools more difficult.

The Gootloader malware loader has been active since 2020 and is used by various cybercriminal operations, including ransomware deployments.

After a seven-month break, the operation returned last November, as reported by security researchers at Huntress Labs and the DFIR Report.

While malformed ZIP archives were present back then, they came with minimal modifications, and there were filename mismatches when trying to extract the data.

To further strengthen the anti-analysis of this stage, Gootloader operators have now implemented far more extensive obfuscation mechanisms, according to Expel researchers analyzing more recent samples.

Specifically, the following mechanisms are now used to evade detection and analysis:

Once executed on the host, the malware’s JScript activates via Windows Script Host (WScript) from a temporary directory and establishes persistence by adding shortcut (.LNK) files to the Startup folder that point to a second JScript file.

Source: BleepingComputer