Emulating the Commodity Downloader GootLoader

AttackIQ has released three new attack graphs that aim to emulate the recent activities involving the commodity JavaScript-based downloader known as GootLoader. Read More

GootLoader is a stealthy first-stage JavaScript-based downloader, designed to target Windows-based systems, that has been active since at least 2020. It is considered an Initial-Access-as-a-Service (IAaaS) tool used within a Ransomware-as-a-Service (RaaS) criminal business model.

This malware typically leverages Search Engine Optimization (SEO) poisoning and compromised websites to direct victims to drive-by download activities that deliver its first-stage payload, which poses as the document the user is looking for.

GootLoader has been involved in activities against organizations across many industries, including Military, Legal, Financial, Banks, Manufacturing, and Healthcare, primarily in the United States, Canada, France, Germany, Australia, and South Korea.

GootLoader’s infection chain involves the delivery of a concealed JavaScript payload nested within a compressed ZIP file. Adversaries using this malware during 2022 followed a consistent execution pattern, which relies on the use of WScript and CScript for JScript execution, as well as the utilization of different Windows Registry keys for payload staging.

In its short lifespan, GootLoader has evolved from a mere Gootkit downloader, a banking trojan and stealer that has been in use since 2014, into a multi-payload malware platform capable of delivering sophisticated second-stage payloads.

AttackIQ has released three new attack graphs that aim to emulate the recent activities involving the commodity JavaScript-based downloader known as GootLoader to help customers validate their security controls and their ability to defend against this threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using these new attack graphs in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against a tool widely used among criminal groups.
  • Assess your security posture against post-exploitation activities related to this commodity malware.
  • Continually validate detection and prevention pipelines against highly sophisticated and far-reaching intrusion chains.

GootLoader – 2022-12 – Infection Chain Targeting the Australian Healthcare Industry

(Click for Larger)

In January 2023, TrendMicro released a report detailing the infection routine employed by Gootloader, which had recently extended its attacks into the healthcare industry, specifically targeting Australia. On this occasion,   utilized SEO Poisoning coupled with the exploitation of keywords related to the healthcare sector and combined with the names of Australian cities, as the initial access vector.

During this activity, Gootloader was distributed through the use of a malicious ZIP archive, which contained within it a JavaScript (JS) file incorporating words identified as prominent search queries, particularly those strongly associated with the term “agreement”.

(Click for Larger)

This stage commences with the download and saving of a compressed ZIP file distributed through the Search Engine Optimization (SEO) Poisoning technique. Subsequently, the JavaScript (JS) contained within it is saved, which is immediately executed through CScript. Lastly, the adversary will attempt to create a Scheduled Task to ensure Persistence and Execution.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious payloads.

Command and Scripting Interpreter: Windows Command Shell (T1059.003): This scenario will attempt to execute a JavaScript file through cscript.exe.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the schtasks utility.

(Click for Larger)

In the second stage, the staging of the payloads embedded inside Gootloader will be performed. The staging is carried through the registry by creating two keys in the HKCU\SOFTWARE\Microsoft\Phone hive. In this case, the primary payload is a Cobalt Strike module that will be executed through the DLL Side-Loading technique.

Modify Registry (T1112): This scenario stages payloads in the registry by creating two entries under the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone hive.

Hijack Execution Flow: DLL Side-Loading (T1574.002): Bundles a DLL with a Windows executable that is susceptible to DLL Side-Loading to execute malicious code.

(Click for Larger)

In the third stage, the adversary will seek to deploy BloodHound, an Active Directory (AD) reconnaissance tool, which will be executed through the previously deployed Cobalt Strike module.

Subsequently, a script known as “BloodHound Ingestor” will be executed, which seeks to collect data from the system environment and store it in a format that can be consumed later by BloodHound.

Remote System Discovery (T1018): This scenario will execute a BloodHound ingestor that will create a ZIP file containing all the Active Directory data necessary for BloodHound.

(Click for Larger)

In the fourth stage, a PowerShell script will be deployed, which will seek to obtain additional persistence and collect information about the compromised environment.

In this case, the script will achieve persistence by creating a Registry Run Key called “socks_bc” and, at the same time, it will seek to obtain information about the system policies, through a query to the Registry hive HKLM\SOFTWARE\Policies.

Logon Autostart Execution: Registry Run Keys (T1547.001): This scenario creates a registry entry named socks_bc under the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key that Windows uses to identify what applications should be run at system startup.

(Click for Larger)

In this stage, the discovery tasks performed by the previously deployed PowerShell script are carried out. In this case, it will seek to obtain user information, the name of the system, the active processes, the local disks, and the available files.

System Information Discovery (T1082): This scenario performs system information discovery via the Native API GetComputerNameExW function.

System Owner/User Discovery (T1033): This scenario performs system owner/user discovery via the Native API GetUserNameW function.

Process Discovery (T1057): This scenario uses the Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW. The emulation also uses the PowerShell cmdlet Get-Process to gather valuable information about running processes.

File and Directory Discovery (T1083): This scenario executes a PowerShell script that retrieves a list of files and folders from several important directories on a Windows computer.

(Click for Larger)

In the last stage of the attack, additional tasks are carried out. First, a scan is performed on ports 445 (SMB), 389 and 3268 (LDAP) to internal machines in order to identify protocols that may allow the adversary to move laterally through the network. Then, the Process Injection technique is performed with the objective of obtaining credentials, specifically Kerberos hashes.

Network Service Discovery (T1046): This scenario uses nmap for scanning hosts that are open on ports 389, 445, and 3268 that would identify remotely accessible hosts to the attacker.

Process Injection (T1055): This scenario injects a DLL file into another running process and validates if a canary file can be created.

OS Credential Dumping (T1003): This scenario obtains passwords that are stored by the Windows operating system using the PwDump7 tool.

GootLoader – 2022-07 – From Infection, Through BokBot, to Multiple Possible Endgame Payloads

(Click for Larger)

In July 2022, eSentire’s Threat Response Unit (TRU) reported the identification of a GootLoader infection whose primary objective was the distribution of BokBot, also known as IcedID, as a second-stage payload.

During this activity, the adversary employed Search Engine Optimization (SEO) Poisoning to distribute GootLoader. The infection begins with the user visiting an infected website with enticing content that prompts the download of a ZIP file. Inside the compressed archive, there is a highly obfuscated malicious JavaScript file responsible for connecting to one of three predetermined domains to retrieve the second-stage payload.

BokBot is a former Banking Trojan and current Loader that targets domain-joined machines with the goal of delivering a final-stage payload, also referred to as an “Endgame” payload. Recently, BokBot has been observed distributing Cobalt Strike, Conti Ransomware, Quantum Ransomware, and XingLocker Ransomware.

(Click for Larger)

This stage begins with downloading and saving of the compressed ZIP file related to Gootloader, which is distributed through the Search Engine Optimization (SEO) Poisoning technique. Subsequently, the JavaScript (JS) contained in it is saved, which is executed immediately afterward through CScript.

Next, the script will try to determine if the infected system is part of an Active Directory domain by using the environment variable “%USERDNSDOMAIN%, which contains the Fully Qualified Domain Name (FQDN) of the system. Finally, the script will create a Scheduled Task to ensure persistence.

(Click for Larger)

In the second stage, the staging of the payloads embedded inside Gootloader will be performed. The staging is carried through the registry by creating two keys under the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone hive.

During this activity, the payloads deployed and staged in the registry by Gootloader are FONELAUNCH, a .NET launcher used to decode and execute the second payload, which in this case is BokBot, a highly sophisticated modular Banking Trojan.

In this case, FONELAUNCH is executed through the Reflective DLL Injection technique, which seeks to load code into the processes’ own memory. Subsequently, BokBot is executed by employing the Process Hollowing technique, which executes arbitrary code in the address space of a separate live process.

Reflective DLL Injection (T1620): This scenario takes a default AttackIQ DLL and loads it into the memory space of its own process in order to execute the desired DLL function.

Process Injection: Process Hollowing (T1055.012): This scenario creates a process in a suspended state, then its memory is unmapped and replaced with the content of a malicious executable.

(Click for Larger)

In the third and final stage, BokBot will attempt to retrieve additional information about the system environment with the goal of ultimately exfiltrating it into the adversary’s infrastructure. In this way, BokBot will seek to obtain system, user, and network configuration information through the execution of multiple API calls.

System Information Discovery (T1082): This scenario will retrieve a security identifier (SID) for the account and the name of the domain on which the account was found by using the Native API call LookupAccountNameW.

System Network Configuration Discovery (T1016): This scenario will retrieve adapter information from the local computer by using the Windows API call GetAdaptersInfo.

Exfiltration Over C2 Channel (T1041): This scenario exfiltrates a pre-generated text file containing the output from a series of discovery commands executed by a threat actor to an AttackIQ controlled server using HTTP POST requests.

GootLoader – 2022-02 – From SEO Poisoning to Cobalt Strike, Mimikatz and LaZagne Deployment

(Click for Larger)

Since February 2022, DFIR Report researchers have observed the multi-stage loader known as GootLoader targeting a variety of victims through the use of the Search Engine Optimization (SEO) Poisoning technique with the objective of promoting compromised websites hosting malware to the top of certain search requests. The reported intrusion, which lasted two days, was found to be comprised of Discovery, Persistence, Lateral Movement, Collection, Defense Evasion, Credential Access, and Command and Control activities.

During the post-exploitation phase, the perpetrators used tools such as Mimikatz, LaZagne, WMIExec, and SharpHound (BloodHound) for the purpose of collecting credentials and gathering information regarding the compromised system environment. In addition, the adversary was observed attempting to move laterally to other systems on the network via Remote Desktop Protocol (RDP).

(Click for Larger)

This stage commences with the download and saving of a compressed ZIP file distributed through the Search Engine Optimization (SEO) Poisoning technique. Subsequently, the JavaScript (JS) contained within it is saved, which is immediately executed through CScript.

(Click for Larger)

In the second stage, the staging of the payloads embedded inside Gootloader will be performed. The staging is carried through the registry by creating two keys under the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone hive.

During this activity, the payloads deployed and staged in the registry by Gootloader are FONELAUNCH, a .NET launcher used to decode and execute the second payload, which in this case is Cobalt Strike Beacon.

(Click for Larger)

In the third stage, an encoded PowerShell command is executed, which has the objective of obtaining persistence through a Scheduled Task and performing a query to the registry with the intention of executing FONELAUNCH. Once deployed, FONELAUNCH will attempt to execute Cobalt Strike through RunDLL32.

Subsequently, Cobalt Strike will perform the deployment of BloodHound, an Active Directory (AD) reconnaissance tool, and will execute a script known as “BloodHound Ingestor”, which seeks to collect information from the system environment and store it in a format that can be later consumed by BloodHound.

Query Registry (T1012): This scenario will query the registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone\username which contains the staged payload to be executed.

System Binary Proxy Execution: Rundll32 (T1218.011): RunDll32 is a native system utility that can be used to execute DLL files and call a specific export inside the file. This scenario executes RunDll32 with an AttackIQ DLL and calls an export to mimic previously reported malicious activity.

(Click for Larger)

In the fourth stage, the adversary will aim to detect the presence of security software through the use of Windows Management Instrumentation (WMI). Subsequently, through PowerShell, the same will attempt to disable multiple security features that are built into Microsoft Defender.

Security Software Discovery (T1518.001): A native Microsoft Windows Management Instrumentation Command (WMIC) is executed to determine which software has been installed as an AntiVirusProduct class.

Impair Defenses: Disable or Modify Tools (T1562.001): As part of the PowerShell commands executed by the adversary, these scenarios use the Set-MpPreference cmdlet to modify preferences and disable Microsoft Defender.

(Click for Larger)

In this stage, the credentials available in the system are collected. First, Mimikatz, a tool used to extract authentication credentials, is deployed.

Subsequently, credentials will also be harvested using LaZagne, a tool used to extract credentials stored in the system. Finally, the credentials available in the Security Account Manager (SAM), SYSTEM and SECURITY registry hives will be dumped.

OS Credential Dumping (T1003): These scenarios use the Mimikatz and LaZagne tools to dump all possible credentials available on the host.

OS Credential Dumping: Security Account Manager (T1003.002): The built-in reg save command is executed to dump the Windows SAM, SYSTEM, and SECURITY hive.

(Click for Larger)

In the last stage, Invoke-WMIExec is deployed, a tool used by the adversary to enable Restricted Admin Mode, which is a Windows setting designed to protect administrator accounts by ensuring that Remote Desktop Protocol (RDP) credentials are not stored in memory on remote devices to which an RDP connection is made. Once this is achieved, the adversary will seek to perform lateral movement via RDP.

Modify Registry (T1112): Enables Restricted Admin Mode for Remote Desktop access of the host by setting the DisableRestrictedAdmin registry value to 0.

Remote Services: Remote Desktop Protocol (T1021.001): Remote Desktop is the built-in remote access utility used by Windows. This scenario attempts to remotely connect to another accessible asset with stolen credentials.

Detection and Mitigation Opportunities

Given the vast number of techniques used by these adversaries, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Process Injection (T1055) and Reflective DLL Injection (T1620):

GootLoader has been observed using techniques that obscure the true source of malicious activity. By injecting code into another active process or reflectively load code into its own process, with the aim of loading malicious code, the adversary may try to hide in the normal operating noise of the system or abuse overzealous whitelisting:

1a. Detection

Searching for common processes that are performing uncommon actions can help identify when a process has been compromised. It would be uncommon for these processes to be executing additional process or performing discovery techniques. You can look for similar activity using a signature like:

Parent Process Name CONTAINS (‘explorer.exe’ OR ‘svchost.exe’)
Command Line CONTAINS (‘set’ OR ‘whoami’ OR ‘ping’ OR ‘dir’)

1b. Mitigation

2. Logon Autostart Execution: Registry Run Keys (001):

Preventing an actor from maintaining a foothold in your environment should always be one of the top priorities. During its activities, GootLoader has been monitored using registry keys to achieve persistence.

2a. Detection

Using a SIEM or EDR Platform to see modifications to the Run and RunOnce keys will alert when unauthorized users or software makes modifications to the keys that allow programs to run   after startup.

Process Name == reg.exe
Command Line Contains (“ADD” AND “\CurrentVersion\Run”)

2b. Mitigation

MITRE ATT&CK does not have any direction mitigations as this is abusing legitimate Windows functionality. They recommend monitoring registry changes and process execution that may  attempt to add these keys.

Wrap-up

In summary, these attack graphs will evaluate security and incident response processes and support the improvement of your security control posture against a highly active and sophisticated threat. With data generated from continuous testing and use of these attack graphs, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a well-known and dangerous threat.

AttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ Security Optimization Platform, including through our fully managed service, AttackIQ Ready!, and our co-managed security service, AttackIQ Enterprise.