Skip to content

Latest commit

 

History

History
71 lines (36 loc) · 5.06 KB

0xa - Gootloader.md

File metadata and controls

71 lines (36 loc) · 5.06 KB

Background - Gootloader

  • Gootloader is a well-known malware campaign that leverages SEO to deliver malicious JavaScript files to end users.

  • The threat actors are known for creating fake forum websites or for compromising existing forum websites and then inserting download links in comments and replies to entice users to download malicious templates and forms.

  • Kroll does a great job of breaking down a common attack sequence here:

Pasted image 20240705131555

  • Interestingly, I have personally investigated many Gootloader infections in the wild, where users of organizations were searching the internet for document templates related to their job roles, and inadvertently became infected.

  • If sensitive data can be successful exfiltrated in large quantities, it is not uncommon to see it being posted for sale on the dark web. Here's an example of what that looks like - the screenshot shows a post on the famous underground forum BreachForums.

Pasted image 20240705131858

Analysis

  • This Gootloader sample arrives as a .zip archive containing a .js file. This particular sample is huge, with over 2.4k lines of code.

  • At first glance, there appears to be a bunch of generic, non-malicious code. But if we look deeper, there are clearly some suspicious functions with unusual names.

Pasted image 20240705132132

  • The above pattern is fairly commonplace throughout the script. By searching for functions, we can immediately identify several functions that don't fit into the normal Underscore JS library and might be malicious in nature.

  • Due to its size and complexity, this is going to be extremely intensive to manually reverse-engineer on my own. Fortunately, Mandiant's Github hosts a very useful list of Python scripts designed for de-obfuscation of Gootloader samples.

  • Let's check them out:

Pasted image 20240705135453

  • I'll clone the repository on my Remnux machine and see if these scripts help with analyzing the sample.

  • After cloning the git repo and staging the Gootloader sample, here's what our folder ends up looking like:

Pasted image 20240705141249

  • Following Mandiant's guidance, we start by running GootLoaderAutoJsDecode.py against the sample and it works perfectly. It outputs a decoded script file as well as host-based and network-based IOCs:

Pasted image 20240705141437

  • We now have a list of IOCs to incorporate into detection engineering and threat hunts.

  • Next, let's take a look at the fully decoded/de-obfuscated script output.

Pasted image 20240705141607

  • Beautiful. This is much easier to read. Let's clean it up next and see what it does with js-beautify.

Pasted image 20240705141919

  • That's much better. Now we can see that the script has a few vital functions. First, it gathers some basic system information, which it compresses and Base64 encodes.

Pasted image 20240705151239

  • Then, it pulls a random URL from the embedded list of URLs and makes an HTTP request to it. Inside that HTTP request, it sends the collected data as a cookie.

Pasted image 20240705151256

  • It then uses WScript to execute a command based on server responses.

Pasted image 20240705151334

Summary

  • This is a typical Gootloader sample, which establishes persistence by creating a scheduled task named New Account Acquisition and sends collected data about the infected machine to the C2 server (chosen randomly from a list of embedded URLs) at <url>/xmlrpc[.]php.

  • It then executes commands based on server responses, facilitating the rest of the attack sequence.