Gootloader Evades Detection With 1,000-Part ZIP Archives

A sophisticated new evasion technique employed by the Gootloader malware involves the use of massively concatenated ZIP archives, a method designed to crash common analysis tools and slip past security defenses. This loader, a longstanding tool for initial network access since 2020, has resurfaced with enhanced obfuscation after a recent hiatus. The core of the new method lies in creating a single malicious file that is actually hundreds of individual ZIP archives strung together, a tactic that exploits how many software parsers operate.

Security analysts note that while the default Windows extraction utility can open these malformed archives, popular third-party tools like 7-Zip and WinRAR often fail or crash when attempting to parse them. This creates a significant blind spot for automated security systems relying on those libraries. The threat actors behind Gootloader are bundling between 500 and 1,000 archives into one file, but that is just one layer of a multi-faceted anti-analysis strategy.

Recent investigations into updated samples reveal a suite of evasion mechanisms working in concert. The concatenation itself takes advantage of the fact that standard ZIP parsers read a file from the end backwards; by adding up to a thousand archive headers, the process becomes computationally intensive and prone to failure. Further obfuscation includes using a truncated End of Central Directory record, which lacks two crucial bytes and breaks most parsing logic. Attackers also randomize disk number fields, tricking tools into looking for non-existent multi-disk sets, and introduce deliberate mismatches between metadata in different parts of the archive structure.

To avoid static signature-based detection, the campaign generates a unique ZIP and embedded JScript file for every download. Network detection is also thwarted by delivering the final payload as an XOR-encoded data blob. This blob is decoded and repeatedly assembled on the victim’s machine until it reaches its full, multi-archive size, hiding the true nature of the transfer from security appliances monitoring the traffic.

Once the archive is successfully unpacked on a target system, the malicious JScript file executes via the Windows Script Host. It establishes persistence by planting shortcut files in the Startup folder, which point to a secondary script. This ensures the malware runs at first launch and with every subsequent system boot, ultimately leading to the execution of PowerShell commands. This persistence mechanism is a hallmark of the loader’s operation, facilitating later stages like ransomware deployment.

Despite the sophisticated corruption techniques meant to disrupt analysis without breaking core functionality, defenders have identified structural anomalies that can serve as reliable detection points. Researchers have developed a YARA rule that focuses on a specific combination of ZIP header features, the presence of hundreds of repeating file headers, and anomalous central directory records. For proactive defense, a key recommendation is to change the default application for opening `.js` and `.jse` files from Windows Script Host to a simple text editor like Notepad, which prevents accidental execution. Organizations can also reduce their attack surface by blocking the `wscript.exe` and `cscript.exe` utilities from running any scripts downloaded from the internet, especially if JScript functionality is not required for normal business operations.

(Source: Bleeping Computer)