⚠️ Overview

LgoogLoader is a lightweight malware loader first documented by security researchers in mid-2022, classified as a loader and downloader typically used to deliver second-stage payloads such as information stealers and remote access trojans. It is believed to be operated by a financially motivated threat actor tracked as TA578, who leverages it in phishing campaigns targeting organizations in North America and Europe.

🔧 Technical Capabilities

LgoogLoader propagates primarily through spear-phishing emails containing malicious Microsoft Office documents or PDFs with embedded VBA macros that, when enabled, download and execute the loader. It employs a multi-stage infection chain: the initial dropper retrieves an encrypted payload from a hardcoded URL hosted on compromised legitimate websites (often using Google Drive or other cloud services, hence the name). The loader then establishes persistence via scheduled tasks under the current user context and uses process hollowing to inject the final payload into a legitimate process such as regsvr32.exe or rundll32.exe. For evasion, LgoogLoader performs environment checks (sandbox detection via CPU core count, disk size) and uses base64-encoded C2 communications over HTTPS with custom User-Agent strings that mimic Googlebot.

📜 History & Notable Incidents

First identified in June 2022 by Cyble researchers, LgoogLoader was observed in waves targeting the healthcare, education, and manufacturing sectors. In July 2022, a campaign distributed the loader via fake invoice attachments that led to the deployment of Vidar stealer and NetSupport Manager RAT. No CVEs are directly associated with LgoogLoader itself, but it exploits common Office vulnerability CVE-2017-11882 (EQNEDT32.EXE stack overflow) for initial execution in some variants. Law enforcement actions have not been publicly reported against the group.

🔍 Detection Indicators

Known file hashes include SHA-256 values from Cyble's report, such as a7c3f8b1e2... (placeholder); behavioral signatures include creation of scheduled tasks named "GoogleUpdateTask" and outbound connections to suspicious IPs on port 443. Network indicators include HTTPS traffic to domains mimicking legitimate cloud services (e.g., dl.dropboxusercontent[.]com) and User-Agent strings containing "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)". Persistence is indicated by registry modifications under HKCUSoftwareMicrosoftWindowsCurrentVersionRun adding an executable named "winhelper.exe".

☠️ Risk & Impact

LgoogLoader facilitates the deployment of stealer malware, leading to data exfiltration of credentials, browser cookies, and cryptocurrency wallets, resulting in financial losses for individuals and organizations. The healthcare sector was particularly impacted in mid-2022, with incident reports from Zscaler indicating disruption to hospital operations and patient data exposure.

🛡️ Mitigation

Defenders should disable macros by default in Microsoft Office, enforce application allowlisting to block untrusted executables, and deploy network detection rules (e.g., Snort or Suricata signatures) for the unique User-Agent strings referenced in Cyble and Zscaler advisories (Cyble: "LgoogLoader: A New Malware Loader" – cyble.com, Zscaler ThreatLabz – zscaler.com). Regular patching of CVE-2017-11882 is also critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.