September 2022 | Izzat_csoc

Goot Loader Malware

Summary

 Since the beginning of Jan 2021 an active Gootloader campaign has been observed in the wild
expanding its scope of interest to a wider set of enterprise verticals worldwide.
 Analysis of over 900 unique droppers reveals that the campaign targets diverse enterprise and
government verticals including military, financial, chemistry, banks, automotive, investment
companies and energy stakeholders, primarily in the US, Canada, Germany, and South Korea.
 Around 700 high traffic compromised websites were used as a delivery network.
 The campaign uses tailored filenames to lure targets in a typical form of social engineering.
 This campaign has a low static detection rate alongside robust sandbox evasion techniques and
‘fileless’ stages.
 Considering the wide distribution of the campaign and the heterogeneity of its deployed arsenal,
we assess that Gootloader acts as an ‘Initial Access As a Service’ provider, after which a variety
of tools may be deployed.
 September 2022 | Izzat_csoc

Introduction

GootLoader malware examining legitimate but compromised websites (mainly websites managed
using WordPress). It was found that GootLoader is used to infect computers with additional
malware. Cybercriminals using GootLoader seek to trick users into unknowingly downloading and
executing the malware by disguising it as a document or other file. The threat actors behind
GootLoader distribute mainly ransomware and malware known as Cobalt Strike. They seek to infect
computers with malware designed to encrypt files or inject information stealers, cryptocurrency
miners, etc. As mentioned in the introduction, GootLoader is distributed via compromised websites.

Typical Infection Process:

1. User performs a web search for a document or document template

2. User clicks on search result leading to GootLoader landing page
3. Landing page presents a fake web forum and link to the requested document
4. User clicks on the presented link, receives a Zip archive
5. User opens the archive, finds a JavaScript file (.js extension) disguised as the requested
document
6. User executes the JavaScript file by double-clicking it
7. Windows executes the JavaScript file using the Windows script host process, resulting in
execution of the GootLoader malware

Infection Chain and techniques

1. Initial Access
 The threat actor gained initial access using Gootloader malware. User searching and
downloading the malware via the poisoned SEO search.
 The Javascript file is then executed when double clicked after the zip is opened.

2. Execution
 Gootloader upon execution creates registry keys
 The first is populated with an encoded Cobalt Strike payload and the latter is used to store
a .NET loader named powershell.dll.
 Once the PowerShell script is finished running, the next stage involves the .NET loader.
The .NET loader will read HKCU:\SOFTWARE\Microsoft\xxx and extract the encoded Cobalt
Strike payload. This payload will be decoded and subsequently loaded into memory for
execution.
 September 2022 | Izzat_csoc

3. Persistence
 The Javascript (Gootloader) file invoked an encoded PowerShell command.
 The encoded PowerShell command creates a Scheduled Task that executes when the
selected user logs on to the computer. An encoded PowerShell command is executed that
will retrieve and execute the payload stored in the Registry.

4. Defense Evasion
 Windows Defender scheduled scans were deleted from the system. This was observed on
multiple servers the threat actor pivoted to.
 PowerShell was used to disable multiple security features built into Microsoft Defender.
 As in many cases involving Cobalt Strike, we observed rundll32 used to load the Cobalt Strike
beacons into memory on the beachhead host.
 During the intrusion various named pipes utilized by the threat actor’s Cobalt Strike beacons
including default Cobalt Strike named pipes.
 The threat actors were observed making use of double encoded Powershell commands. The
first layer of encoding contains Hexadecimal and XOR encoding.
 The second layer of encoding contains a Base64 encoded string resulting in Gunzipped data.
 Decoding this script reveals that it is a publicly available WMIExec script for running remote
WMI queries.

5. Credential Access
 The malicious PowerShell process used by Gootloader dropped a PowerShell script on the
file system.
 Another PowerShell command was used to trigger. The script was using XOR-encoding.
 Monitoring PowerShell event id 4103 we can observe the threat actor’s successful credential
access activity.
 This will dump passwords (browsers, LSA secret, hashdump, Keepass, WinSCP, RDPManager,
OpenVPN, Git, etc.) and store the output file (in our case) in the “C:\Users” directory. When
LaZagne is run with admin privileges, it also attempts to dump credentials from local registry
hives, as can be seen below.

6. Discovery and Lateral Movement

 September 2022 | Izzat_csoc

 The threat actors used the PowerShell implementation of Bloodhound on the beachhead
host to enumerate the Active Directory domain. The Cobalt Strike beacon was used to
invoke the PowerShell script.
 They also ran a WMI command on the beachhead host and one other host to check for
AntiVirus.
 The threat actors executed this command remotely on a domain controller, before moving
laterally to it
 While having an interactive RDP session, in an attempt to collect more information regarding
the host, the attackers used PowerShell to run system info on one of the hosts they pivoted
to.
 On the last day, and before they left the network, threat actors used Advanced IP Scanner to
scan the whole network for the below open ports:

7. Lateral Movement
 The threat actor created and installed Windows services to deploy Cobalt Strike beacons.
This method was used to pivot to other systems within the network.
 SMB was also used to transfer executable Cobalt Strike beacons to various workstations in
the environment.
 Next to deploying Cobalt Strike beacons, the threat actor also used RDP to establish
interactive sessions with various hosts on the network. One important aspect of these
sessions is that the threat actor authenticated using “Restricted Admin Mode”.
 Restricted Admin Mode can be considered a double-edged sword; although it prevents
credential theft, it also enables an attacker to perform a pass-the-hash attack using RDP. In
other words, after enabling Restricted Admin Mode, just the NTLM hash of the remote
desktop user is required to establish a valid RDP session, without the need of possessing the
clear password.
 The threat actor attempted to use both Invoke-WMIExec and psexec to enable “Restricted
Admin Mode”.

8. Collection
 The threat actor accessed multiple files during the RDP sessions on multiple servers. In one
instance document files were opened directly on the system.
 Shellbags reveled attempts to enumerate multiple file shares containing information of
interest to the threat actor.

9. Command and Control

 Gootloader second stage download URLs. These URLs were deobfuscated and extracted
using this script by HP Threat Research. They’ve updated this script at least a few times now,
thanks @hpsecurity and thanks to @GootLoaderSites for sharing on twitter as its
broken/fixed.
 During the intrusion the Gootloader loader was observed communicating to
35.206.117.64:443 kakiosk[.]adsparkdev[.]com.

GootLoader Mitigation Tips

 September 2022 | Izzat_csoc

1. URL Analysis: GootLoader preys on victims using SEO-poisoning techniques to host documents
containing its initial malicious stages. Determining if URLs are benign or malicious could play a
pivotal role in preventing a victim clicking on a link hosting malware.
2. Decoy File: GootLoader deceives the victim by disguising its initial stage as a free downloadable
document on a niche internet forum.
3. Client-Server Payload Profiling: GootLoader is hosted on compromised sites. Determining
whether a payload is malicious in advance can prevent the victim from downloading the
malicious lure document onto their device.
4. File Hashing: Deploying a hashing detection on a device can be an effective way of
blocking/quarantining malware if it appears on a device.
5. File Content Rules: Searching the contents of a file via pattern matching like YARA is a strong
way of determining if a file is benign or malicious.
6. System Configuration Permissions: Having a system locked down to specific users could prevent
both the running of malicious files, and the registry creation of GootLoader.
7. Process Spawn Analysis: Having visibility into spawned processes, like suspicious use of
wscript.exe or PowerShell.exe, could give insight into a malicious threat executing on a victim
system.
8. Network Traffic Filtering: GootLoader attempts to download its Stager payloads and also
attempts to reach out to its beaconing C2. Having visibility and filtering can lead to malicious
traffic being intercepted and dropped.