Gootloader Malware Evades Detection with Malformed ZIP Archives
The Gootloader malware, typically used for initial access, has been found to be using a new technique to evade detection. According to recent research, the malware is now using malformed ZIP archives designed to concatenate up to 1,000 archives, making it harder for defenders to spot and prevent attacks.
These malformed ZIP archives are not new, but the latest versions have been found to have more extensive obfuscation mechanisms, making them more difficult to detect. The researchers found that the malware uses a combination of ZIP header features, repeating Local File Headers, and EOCD records to evade detection.
To prevent the execution of the malware, the researchers recommend changing the default application for opening JScript files to Notepad instead of Windows Script Host. This can help prevent the malware from executing and reduce the risk of attack.
Defenders can also use access reviews for Teams, OneDrive & SharePoint to regain control of shared content and reduce the risk of malware spreading. Additionally, using a Security Scorecard can help identify vulnerabilities and provide recommendations for improvement.