|North America, South Korea, Germany, France|
- After running the script, it connects to the C2 server to receive a sequence of numbers that represent the ASCII characters of the second stage payload which will be loaded directly into the memory leaving no traces for its existence into the system.
- The second payload, after decoding numeric values to text, and it writes keys/ values in the registry under the HKCU/ Software hive.
- Also it creates an autorun for a PowerShell script, which runs each time the system boots, and decodes and runs the .NET loader payload.
- The PowerShell script creates a registry run key as a failsafe mechanism to execute the payload in the next reboot.
- The .Net loader contains a Delphi-based loader. The loader has two sequences of hexadecimal numbers in its code, for two executable files. The first file is a legitimate executable that the loader runs. With the help of the process hollowing technique, the loader performs hollowing on the second executable file, which loads the Delphi component. The second executable is thus the final malicious payload which can be REvil, GootKit, Kronos, or CobaltStrike.
- This malware leverages SEO techniques to lure potential victims to visit compromised websites.
- Gootloader uses obfuscation techniques to avoid detection by AV.
- It also uses fileless technique to deliver other strains of malware that leads to further attacks.
- Double check the first search result when visiting any website. Check the domain name and the content of webpages, especially if it is inconsistent with the domain name.
- Avoid clicking and downloading any suspicious documents provided in suspicious web pages.
- Use anomaly detection tools to detect malicious behaviors to prevent such attacks.
Tactics, Techniques and Procedure
|T1590.005||Gather Victim Network Information: IP Addresses|
|T1584.004||Compromise Infrastructure: Server|
|T1059.001||Command and Scripting Interpreter: PowerShell|
|T1204.002||User Execution: Malicious File|
|T1547.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|
|T1140||Deobfuscate/Decode Files or Information|
|T1055.012||Process Injection: Process Hollowing|
Indicators of Compromise