After a long lull, the competitive downloader Gootloader has returned to the spotlight. A renewed army was detected last March by the Okhotnitsa team, which formed the return of a developer previously associated with the Vanilla Tempest group. This structure was then used by the extortionist Rizida.
Analysis of new Gootloader samples revealed that the author had returned to his previous method of securing initial access, but had adopted modified camouflage techniques. The return of the conservative tool was accompanied by updated tactics that make it more difficult to detect.
The main form of this new campaign is the use of an unusual ZIP archive, which at first glance appears damaged. However, this technique allows the attackers to bypass automatic analysis and hide from antivirus solutions, while still maintaining the ability to launch the attack at random events.
The Gootloader distribution mechanism remains the same: infection begins with a JScript file embedded in a ZIP archive. Opening the file launches PowerShell, which establishes a dominant presence in the system. But it's the ZIP archive format that makes this war particularly noteworthy. Archives contain multiple ZIP files concatenated together, possibly due to the fact that unpacking begins at the end of the file. The number of these fragments varies, and each downloaded archive is unique, making it possible to detect the storage capability.
The archive also adheres to the ZIP specification: it omits the required bytes at the end of the directory, and some fields, such as the disk number or modification time, are filled with random values. This prevents tools like 7-Zip or WinRAR from working correctly, but does not affect the built-in Windows unpacking tool. Thus, concurrent files remain available for user execution, but this is insufficient for most automatic analysis systems.
The methodology used by the Gootloader developer is focused on stealth. Thanks to the "fake" zip code and unique content each time, concurrent code is difficult to detect using standard tools. Even the JScript file is disguised harmlessly: it contains thousands of lines of harmless code, among which alternative instructions are hidden.
It is launched directly from the Windows temporary folder, since the file is not manually extracted by the user. This creates a detection window—for example, you can track the launch of "wscript.exe" from the AppData\Local\Temp directory. Another indicator is the appearance of LNK files in email startup, referencing scripts in non-standard locations.
It's also worth paying attention to the method of the second stage of infection. The malware uses the old NTFS file format—a rarity in modern style and can serve as an additional indicator. Furthermore, during launch, process chains are observed: from CScript to PowerShell and further—which can also be used for detection.
For protection, you can change the default system behavior and open JScript files not through WScript, but in a regular text editor. This reduces the risk of accidentally launching concurrent code. If you don't need to use JScript, it is recommended to also check or completely block the launch of WScript and CScript.
Despite the complexity of the ZIP archive, experts emphasize that it is at this stage that the defense has a chance to interrupt the infection chain before gaining guaranteed access to the system. This approach allows for the early blocking of Gootloader's competitive actions, while still activating the ransomware's more destructive components.
