Advisory Type |
Malware Intelligence |
Malware Type |
Loader |
Malware Name |
Gootloader |
Target OS |
Windows |
Targeted Countries |
North America, South Korea, Germany, France |
Executive Summary
Gootloader is a Javascript-based infection framework that has a new mechanism of delivering its payload. The operators of this malware have compromised over 400 servers that host legitimate websites; they edit the content of the compromised websites to start seemingly legitimate discussions with the help of key words that answer users’ queries. Gootloader operators leverage SEO (Search Engine Optimization) techniques that allow Google to index the compromised websites to help them appear as part of its search results. The attack vector works for certain countries and for certain search engines (such as Google). And in case the search didn’t match the criteria of the loader, the search result will be legitimate webpages. The Gootlaoder malware delivers fileless GootKit RAT, REvil ransomware, CobaltStrike, and Kronos Trojan.Technical Details
- The initial payload is a single javascript file within a zip file. This in turn is provided as a downloadable link on the same forum thread that potential victims visit. The javascript payload is twice obfuscated to avoid detection by end-point protection tools.
- After running the script, it connects to the C2 server to receive a sequence of numbers that represent the ASCII characters of the second stage payload which will be loaded directly into the memory leaving no traces for its existence into the system.
- The second payload, after decoding numeric values to text, and it writes keys/ values in the registry under the HKCU/ Software hive.
- Also it creates an autorun for a PowerShell script, which runs each time the system boots, and decodes and runs the .NET loader payload.
- The PowerShell script creates a registry run key as a failsafe mechanism to execute the payload in the next reboot.
- The .Net loader contains a Delphi-based loader. The loader has two sequences of hexadecimal numbers in its code, for two executable files. The first file is a legitimate executable that the loader runs. With the help of the process hollowing technique, the loader performs hollowing on the second executable file, which loads the Delphi component. The second executable is thus the final malicious payload which can be REvil, GootKit, Kronos, or CobaltStrike.
Impact
- This malware leverages SEO techniques to lure potential victims to visit compromised websites.
- Gootloader uses obfuscation techniques to avoid detection by AV.
- It also uses fileless technique to deliver other strains of malware that leads to further attacks.
Mitigation
- Double check the first search result when visiting any website. Check the domain name and the content of webpages, especially if it is inconsistent with the domain name.
- Avoid clicking and downloading any suspicious documents provided in suspicious web pages.
- Use anomaly detection tools to detect malicious behaviors to prevent such attacks.
Tactics, Techniques and Procedure
Tactics |
Techniques |
|
Reconnaissance |
T1590.005 | Gather Victim Network Information: IP Addresses |
Resource Development |
T1584.004 | Compromise Infrastructure: Server |
Execution |
T1059.007 | Command and Scripting Interpreter: JavaScript/JScript |
| T1059.001 | Command and Scripting Interpreter: PowerShell | |
| T1204.002 | User Execution: Malicious File | |
Persistence |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Defence Evasion |
T1140 | Deobfuscate/Decode Files or Information |
| T1112 | Modify Registry | |
| T1055.012 | Process Injection: Process Hollowing | |
Indicators of Compromise
SHA1 |
8731316018d005690046909f86b10a2130cfe75c |
| 04ac4430395e4bb5c8e78e3c6a277f108da36124 | |
| d7469da6a523239a9f2eee26d944aa9076c87bfa | |
| f43b74c10c880546cf03014e253026736f01d1f9 | |
| 2bc5babb780ffdd38f2ee61583ed2d036fd499d7 | |
| 7fde4507b2430e37c7dc9a1df8904371bc1bf9b2 | |
| f2ddf525f9bf9e583cb6e2694e5abfac483660b2 | |
| 098b332b7a4f8712916d6a681799e390daaaef98 | |
| 9771dc299da3aafd578a3182c63530315aff5726 | |
| dd98b9fce29bb291f37ef7ccf745ad3cdf5880b8 | |
| effb1d6d2a254c428fd3b726e5d10ba9c77a3ae6 | |
| f6525c66ab292d394ff7ec3da9beca8c45919788 | |
| 02efc02a97e2223a85deea842eacebe9eb86aa0f | |
| c51d97e76b018918504533ffdc05b06bae420912 | |
| f1acf90d5a42eba5b601ebe1b954be72d1c5b0b2 |