Gootloader

Gootloader can use IP geolocation to determine if the person browsing to a compromised site is within a targeted territory such as the US, Canada, Germany, and South Korea. SocGholish can use IP-based geolocation to limit infections to victims in North America, Europe, and a small number of Asian-Pacific nations.

The malicious websites employ typosquatted domains designed to deceive users into believing they are accessing official software sources.

Attackers distribute it primarily through SEO poisoning tactics, manipulating search results to direct users to compromised websites.

The malware also exploits WordPress comment endpoints to deliver XOR-encrypted ZIP payloads, each with a unique key.

The infection started when a user searched for a specific document online. Search engine optimization (SEO) poisoning directed the user to a URL on a compromised WordPress site that hosted a ZIP file containing a malicious JavaScript file.

GootLoader shifted its persistence mechanism from scheduled tasks to the Windows Startup folder.

We additionally observed the creation of a scheduled task named “Business Aviation”... This was suspected to be a persistence method... Persistence was obtained via CScript.exe executing the file SMALLU~1.js via a scheduled task named Destination Branding.

Executing the JavaScript initially downloaded PowerShell scripts from three remote locations. When run, the PowerShell scripts started an infection chain that resulted in the execution of Cobalt Strike Beacon.

AppleSeed has the ability to use JavaScript to execute PowerShell. APT32 has used JavaScript for drive-by downloads and C2 communications. Astaroth uses JavaScript to perform its core functionalities.

Due to the disproportional amount of phishing cases we reported, the technique associated with “Malicious File – T1204.002” is at the top of the list.

Examples include APT3 placing scripts in the startup folder, APT32 using Run keys to execute PowerShell and VBS scripts, TA2541 placing VBS files in the Startup folder, TeamTNT adding batch scripts to the startup folder, and Smoke Loader adding a script in the Startup folder to deploy the payload.

GootLoader shifted its persistence mechanism from scheduled tasks to the Windows Startup folder.

We additionally observed the creation of a scheduled task named “Business Aviation”... This was suspected to be a persistence method... Persistence was obtained via CScript.exe executing the file SMALLU~1.js via a scheduled task named Destination Branding.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts... Cobalt Group ... set a Startup path to launch the PowerShell shell command and download Cobalt Strike. DownPaper uses PowerShell to add a Registry Run key in order to establish persistence. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

Examples include APT3 placing scripts in the startup folder, APT32 using Run keys to execute PowerShell and VBS scripts, TA2541 placing VBS files in the Startup folder, TeamTNT adding batch scripts to the startup folder, and Smoke Loader adding a script in the Startup folder to deploy the payload.

GootLoader shifted its persistence mechanism from scheduled tasks to the Windows Startup folder.

We additionally observed the creation of a scheduled task named “Business Aviation”... This was suspected to be a persistence method... Persistence was obtained via CScript.exe executing the file SMALLU~1.js via a scheduled task named Destination Branding.

"Agent Tesla has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code." / "Astaroth can create a new process in a suspended state... unmap its memory and replace it with malicious code." / "Emotet uses a copy of certutil.exe stored in a temporary directory for process hollowing, starting the program in a suspended state before loading malicious code."

APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts... Cobalt Group ... set a Startup path to launch the PowerShell shell command and download Cobalt Strike. DownPaper uses PowerShell to add a Registry Run key in order to establish persistence. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.

The malware’s latest version hides filenames using WOFF2 font glyph substitution, complicating detection. ... GootLoader “leverages custom WOFF2 fonts with glyph substitution to obfuscate filenames.”

A string analysis of the dropped file was not useful in identifying its intent, as the JavaScript was heavily obfuscated... The decoder also identified various malicious domain names within the obfuscated strings.

It still uses Windows 8.3 short filenames to evade detection.

"Agent Tesla has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code." / "Astaroth can create a new process in a suspended state... unmap its memory and replace it with malicious code." / "Emotet uses a copy of certutil.exe stored in a temporary directory for process hollowing, starting the program in a suspended state before loading malicious code."

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Multiple tools/actors are described using Active Directory/domain group enumeration, e.g., “AdFind can enumerate domain groups”, “net group "domain admins" /domain to enumerate domain groups”, “BloodHound can collect information about domain groups and members”, and “AD Explorer tool to enumerate groups on a victim's network.”

The requests contained Base64-encoded cookies which, when decoded, showed enumeration information regarding device directories and host information... the process would read USERNAME and USER DOMAIN information and send the data to the URIs.

Examples include: “Gootloader can determine if a targeted system is part of an Active Directory domain by expanding the %USERDNSDOMAIN% environment variable”, “GRIFFON…retrieve Windows domain membership information”, “Inception…gather domain membership”, and “REvil can identify the domain membership of a compromised host.”

Avaddon checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities... Bazar can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian... Clop has checked the keyboard language using the GetKeyboardLayout() function... Ryuk has been observed to query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language and the value InstallLanguage.

Vanilla Tempest gained network access through the Storm-0494 threat actor, who infected the victim's systems with the Gootloader malware downloader.

C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.

FakeNet showed various domain names being reached out to with GET /xmlrpc.php HTTP/1.1 requests via Powershell.exe. The requests contained Base64-encoded cookies... showing enumeration information regarding device directories and host information.