Gootloader Malware Threat Intel Advisory

CloudSEK threat intelligence advisory on Gootloader malware, Javascript-based infection framework, uses new techniques to deliver payload.

Updated on

May 22, 2023

Published on

March 9, 2021

Read MINUTES

Subscribe to the latest industry news, threats and resources.

Table of Contents

This is also a heading
This is a heading

Advisory Type	Malware Intelligence
Malware Type	Loader
Malware Name	Gootloader
Target OS	Windows
Targeted Countries	North America, South Korea, Germany, France

Executive Summary

Gootloader is a Javascript-based infection framework that has a new mechanism of delivering its payload. The operators of this malware have compromised over 400 servers that host legitimate websites; they edit the content of the compromised websites to start seemingly legitimate discussions with the help of key words that answer users’ queries. Gootloader operators leverage SEO (Search Engine Optimization) techniques that allow Google to index the compromised websites to help them appear as part of its search results. The attack vector works for certain countries and for certain search engines (such as Google). And in case the search didn’t match the criteria of the loader, the search result will be legitimate webpages. The Gootlaoder malware delivers fileless GootKit RAT, REvil ransomware, CobaltStrike, and Kronos Trojan.

Technical Details

The initial payload is a single javascript file within a zip file. This in turn is provided as a downloadable link on the same forum thread that potential victims visit. The javascript payload is twice obfuscated to avoid detection by end-point protection tools.
After running the script, it connects to the C2 server to receive a sequence of numbers that represent the ASCII characters of the second stage payload which will be loaded directly into the memory leaving no traces for its existence into the system.
The second payload, after decoding numeric values to text, and it writes keys/ values in the registry under the HKCU/ Software hive.
Also it creates an autorun for a PowerShell script, which runs each time the system boots, and decodes and runs the .NET loader payload.
The PowerShell script creates a registry run key as a failsafe mechanism to execute the payload in the next reboot.
The .Net loader contains a Delphi-based loader. The loader has two sequences of hexadecimal numbers in its code, for two executable files. The first file is a legitimate executable that the loader runs. With the help of the process hollowing technique, the loader performs hollowing on the second executable file, which loads the Delphi component. The second executable is thus the final malicious payload which can be REvil, GootKit, Kronos, or CobaltStrike.

Impact

This malware leverages SEO techniques to lure potential victims to visit compromised websites.
Gootloader uses obfuscation techniques to avoid detection by AV.
It also uses fileless technique to deliver other strains of malware that leads to further attacks.

Mitigation

Double check the first search result when visiting any website. Check the domain name and the content of webpages, especially if it is inconsistent with the domain name.
Avoid clicking and downloading any suspicious documents provided in suspicious web pages.
Use anomaly detection tools to detect malicious behaviors to prevent such attacks.

Tactics, Techniques and Procedure

Tactics	Techniques
Reconnaissance	T1590.005	Gather Victim Network Information: IP Addresses
Resource Development	T1584.004	Compromise Infrastructure: Server
Execution	T1059.007	Command and Scripting Interpreter: JavaScript/JScript
	T1059.001	Command and Scripting Interpreter: PowerShell
	T1204.002	User Execution: Malicious File
Persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defence Evasion	T1140	Deobfuscate/Decode Files or Information
	T1112	Modify Registry
	T1055.012	Process Injection: Process Hollowing

Indicators of Compromise

SHA1	8731316018d005690046909f86b10a2130cfe75c
	04ac4430395e4bb5c8e78e3c6a277f108da36124
	d7469da6a523239a9f2eee26d944aa9076c87bfa
	f43b74c10c880546cf03014e253026736f01d1f9
	2bc5babb780ffdd38f2ee61583ed2d036fd499d7
	7fde4507b2430e37c7dc9a1df8904371bc1bf9b2
	f2ddf525f9bf9e583cb6e2694e5abfac483660b2
	098b332b7a4f8712916d6a681799e390daaaef98
	9771dc299da3aafd578a3182c63530315aff5726
	dd98b9fce29bb291f37ef7ccf745ad3cdf5880b8
	effb1d6d2a254c428fd3b726e5d10ba9c77a3ae6
	f6525c66ab292d394ff7ec3da9beca8c45919788
	02efc02a97e2223a85deea842eacebe9eb86aa0f
	c51d97e76b018918504533ffdc05b06bae420912
	f1acf90d5a42eba5b601ebe1b954be72d1c5b0b2

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Table of Contents

This is also a heading
This is a heading

Recent Articles

Critical CSRF Vulnerability in IBM CICS TX - CVE-2023-42027 Demands Immediate Action

November 15, 2023

CVE-2023-43792 baserCMS is a website development framework vulnerable to Code Injection attacks

November 6, 2023

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.

Schedule a Demo

Real time Threat Intelligence Data

More information and context about Underground Chatter

On-Demand Research Services

Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.

Trusted by 400+ Top organisations