Gootloader Malware Threat Intel Advisory
Published 09 March 2021
- The operators of this malware have compromised over 400 servers that host legitimate websites
Share this Threat Intel:
|North America, South Korea, Germany, France|
Gootloader operators leverage SEO (Search Engine Optimization) techniques that allow Google to index the compromised websites to help them appear as part of its search results. The attack vector works for certain countries and for certain search engines (such as Google). And in case the search didn’t match the criteria of the loader, the search result will be legitimate webpages. The Gootlaoder malware delivers fileless GootKit RAT, REvil ransomware, CobaltStrike, and Kronos Trojan.
- After running the script, it connects to the C2 server to receive a sequence of numbers that represent the ASCII characters of the second stage payload which will be loaded directly into the memory leaving no traces for its existence into the system.
- The second payload, after decoding numeric values to text, and it writes keys/ values in the registry under the HKCU/ Software hive.
- Also it creates an autorun for a PowerShell script, which runs each time the system boots, and decodes and runs the .NET loader payload.
- The PowerShell script creates a registry run key as a failsafe mechanism to execute the payload in the next reboot.
- The .Net loader contains a Delphi-based loader. The loader has two sequences of hexadecimal numbers in its code, for two executable files. The first file is a legitimate executable that the loader runs. With the help of the process hollowing technique, the loader performs hollowing on the second executable file, which loads the Delphi component. The second executable is thus the final malicious payload which can be REvil, GootKit, Kronos, or CobaltStrike.
- This malware leverages SEO techniques to lure potential victims to visit compromised websites.
- Gootloader uses obfuscation techniques to avoid detection by AV.
- It also uses fileless technique to deliver other strains of malware that leads to further attacks.
- Double check the first search result when visiting any website. Check the domain name and the content of webpages, especially if it is inconsistent with the domain name.
- Avoid clicking and downloading any suspicious documents provided in suspicious web pages.
- Use anomaly detection tools to detect malicious behaviors to prevent such attacks.
Tactics, Techniques and Procedure
|T1590.005||Gather Victim Network Information: IP Addresses|
|T1584.004||Compromise Infrastructure: Server|
|T1059.001||Command and Scripting Interpreter: PowerShell|
|T1204.002||User Execution: Malicious File|
|T1547.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|
|T1140||Deobfuscate/Decode Files or Information|
|T1055.012||Process Injection: Process Hollowing|
Indicators of Compromise