Gootloader Malware Threat Intel Advisory

Published 09 March 2021


  • Gootloader is a Javascript-based infection framework that uses new mechanisms to deliver payload
  • The operators of this malware have compromised over 400 servers that host legitimate websites

Share this Threat Intel:

Advisory Type
Malware Intelligence
Malware Type
Loader
Malware Name
Gootloader
Target OS
Windows
Targeted Countries
North America, South Korea, Germany, France

 

Executive Summary

Gootloader is a Javascript-based infection framework that has a new mechanism of delivering its payload. The operators of this malware have compromised over 400 servers that host legitimate websites; they edit the content of the compromised websites to start seemingly legitimate discussions with the help of key words that answer users’ queries.  

Gootloader operators leverage SEO (Search Engine Optimization) techniques that allow Google to index the compromised websites to help them appear as part of its search results. The attack vector works for certain countries and for certain search engines (such as Google). And in case the search didn’t match the criteria of the loader, the search result will be legitimate webpages. The Gootlaoder malware delivers fileless GootKit RAT, REvil ransomware, CobaltStrike, and Kronos Trojan.

 

Technical Details

  • The initial payload is a single javascript file within a zip file. This in turn is provided as a downloadable link on the same forum thread that potential victims visit. The javascript payload is twice obfuscated to avoid detection by end-point protection tools.
  • After running the script, it connects to the C2 server to receive a sequence of numbers that represent the ASCII characters of the second stage payload which will be loaded directly into the memory leaving no traces for its existence into the system.
  • The second payload, after decoding numeric values to text, and  it writes keys/ values in the registry under the HKCU/ Software hive.
  • Also it creates an autorun for a PowerShell script, which runs each time the system boots, and decodes and runs the .NET loader payload.
  • The PowerShell script creates a registry run key as a failsafe mechanism to execute the payload in the next reboot.
  • The .Net loader contains a Delphi-based loader. The loader has two sequences of hexadecimal numbers in its code, for two executable files. The first file is a legitimate executable that the loader runs. With the help of the process hollowing technique, the loader performs hollowing on the second executable file, which loads the Delphi component. The second executable is thus the final malicious payload which can be REvil, GootKit, Kronos, or CobaltStrike.

 

Impact

  • This malware leverages SEO techniques to lure potential victims to visit compromised websites.
  • Gootloader uses obfuscation techniques to avoid detection by AV.
  • It also uses fileless technique to deliver other strains of malware that leads to further attacks.

 

Mitigation

  • Double check the first search result when visiting any website. Check the domain name and the content of webpages, especially if it is inconsistent with the domain name.
  • Avoid clicking and downloading any suspicious documents provided in suspicious web pages.
  • Use anomaly detection tools to detect malicious behaviors to prevent such attacks.

 

Tactics, Techniques and Procedure

Tactics
Techniques
Reconnaissance 
T1590.005 Gather Victim Network Information: IP Addresses
Resource Development
T1584.004 Compromise Infrastructure: Server
Execution
T1059.007 Command and Scripting Interpreter: JavaScript/JScript
T1059.001 Command and Scripting Interpreter: PowerShell
T1204.002 User Execution: Malicious File
Persistence
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defence Evasion
T1140 Deobfuscate/Decode Files or Information
T1112 Modify Registry
T1055.012 Process Injection: Process Hollowing

 

Indicators of Compromise

SHA1
8731316018d005690046909f86b10a2130cfe75c
04ac4430395e4bb5c8e78e3c6a277f108da36124
d7469da6a523239a9f2eee26d944aa9076c87bfa
f43b74c10c880546cf03014e253026736f01d1f9
2bc5babb780ffdd38f2ee61583ed2d036fd499d7
7fde4507b2430e37c7dc9a1df8904371bc1bf9b2
f2ddf525f9bf9e583cb6e2694e5abfac483660b2
098b332b7a4f8712916d6a681799e390daaaef98
9771dc299da3aafd578a3182c63530315aff5726
dd98b9fce29bb291f37ef7ccf745ad3cdf5880b8
effb1d6d2a254c428fd3b726e5d10ba9c77a3ae6
f6525c66ab292d394ff7ec3da9beca8c45919788
02efc02a97e2223a85deea842eacebe9eb86aa0f
c51d97e76b018918504533ffdc05b06bae420912
f1acf90d5a42eba5b601ebe1b954be72d1c5b0b2

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.