The Cybereason Incident Response (IR) team investigated an incident which involved new deployment methods of GootLoader through heavily-obfuscated JavaScript files. In addition to the new techniques used to load GootLoader, Cybereason also observed Cobalt Strike deployment, which leveraged DLL Hijacking, on top of a VLC MediaPlayer executable.
GootLoader generally relies on JavaScript for its infections. It also uses SEO poisoning techniques to place its infected pages higher in internet browser search results. It is likely the higher the search engines results, the more likely victims will click on the links.
Article Link: THREAT ALERT: GootLoader - SEO Poisoning and Large Payloads Leading to Compromise