This post was authored by our Director of Technology, Brad Freeman.
SenseOn’s in-depth analysis of the Gootkit malware family breaks down the Gootkit malware attack chain. With SenseOn’s advanced telemetry, our cybersecurity analyst team was able to break down the latest Gootkit attack methods.
SenseOn has a wide range of threat intelligence and security analytics to detect malware infections, such as Gootkit. This article is a technical summary of the Gootkit malware infection chain designed to help security teams understand the risk of Gootkit malware.
Gootkit is a family of Node.JS-based malware first described in 2014. Initially described as a “banking trojan,” Gootkit has evolved into a highly evasive info stealer and remote access trojan (RAT).
An interesting feature of Gootkit is its distribution method. Threat actors have been observed spreading Gootkit through advanced search engine optimization (SEO) poisoning.
To trick users into downloading Gootkit, threat actors hijack legitimate websites and replace real search engine results with compromised web pages.
Gootkit threat actors create web pages and blog posts designed to appear on Google’s search engine results page when users enter specific queries they want to find information on.
These web pages answer specific search questions, i.e., “financial services in my city.” They then direct users to download compromised files related to their query, i.e., “the ultimate guide to financial services in my local city.pdf”.
Web Pages poisoned with Gootkit tend to target victims within specific geographical areas and serve malicious content to users depending on where their IP address is located.
Once downloaded, Gootkit allows threat actors to record a user’s keystrokes (and, as a result, their passwords and login details) as well as a massive amount of technical information about their device and network configurations.
Recently, Gootkit has also been observed within ransomware attack chains.
Wider reporting on Gootkit indicates that after an initial intrusion, Gootkit can deploy additional final payloads such as REvil (Sodinokibi) ransomware as well as malicious powershell scripts and fileless malware such as Cobalt Strike.
This wide range of potential malicious use cases was observed during a recent wave of cyber attacks on the Australian healthcare industry.
A wide range of lures (which act as loaders) have been analysed. In every case, the keyword ‘agreement’ was used alongside terms common in the legal and financial sectors. This may indicate an element of targeting or an attempt to make the lures more attractive to higher-value targets. All samples contained a random ascii string of between 2 and 5 characters at the end of the filename to reduce the effectiveness of signature based blocking.
Filenames observed in the recent campaign are shown below:
What_is_a_free_trade_agreement_for (<random string>).zip
Supplemental_agreement_pa_workers_compensation (<random string>).zip
Usmca_trade_agreement_summary (<random string>).zip
What_is_an_api_license_agreement (<random string>).zip
Subject_verb_agreement_worksheets_with_answers_grade_5 (<random string>).zip
Coal_offtake_agreement_sample (<random string>).zip
Online_rent_agreement_service_pune (<random string>).zip
Shared_facility_use_agreement (<random string>).zip
Sample_family_mediation_agreement (<random string>).zip
Microsoft_ea_agreement_levels (<random string>).zip
Which_sentence_has_proper_subject-verb_agreement (<random string>).zip
How_to_cite_a_collective_bargaining_agreement_in_apa (<random string>).zip
Safety_data_exchange_agreement_template (<random string>).zip
What_is_the_use_of_subject_verb_agreement_in_spoken_language (<random string>).zip
Single_family_purchase_and_sales_agreement_rhode_island_association_of (<random string>).zip
Analysing submitted samples on VirusTotal indicates that many instances of Gootkit loaders have a low detection rate when analysed by traditional anti virus systems.
.js file on their endpoint, the attacker will gain access to the environment via User Execution.
Gootkit has a very effective persistence mechanism.
C:\Users\<username>\AppData\Roaming\<vendor> wscript DEVICE~1.JS, where various software provider names were chosen to appear legitimate, such as Microsoft, WinRAR, and Adobe.
Gootkit then launches PowerShell.exe and changes the case of the executable (as Windows is case insensitive) so the running process appears as
pOWeRshelL.exe – this is a basic method to evade poor signature-based detection methods.
DEVICE~1.JS script injects itself into an
svchost.exe process and connects to a new list of up to 50 command and control servers. External connections are then sourced directly from
All command and control servers extracted from the sample called back to
Sent with the connection to the Command and Control server is a unique identifier for each device. Other variables are sent as a Base64 encoded cookie including:
The variables are commented inline on the below extract of the deobfuscated script, as observed by the SenseOn analyst team.
GootKit command and control traffic is sent over HTTP & TLS. The HTTP user agent is modified to look like a Windows OS running a recent version of the Google Chrome browser (version 107). A connection to the command and control servers is made once every 20 seconds.
SenseOn’s unified telemetry can observe the traffic from the source process being sent to the command and control servers.
Our analysis of recent Gootkit activity indicates the possibility of targeting the financial and legal sectors. By spreading its lures on compromised websites and its heavy use of obfuscation by weaving malicious code alongside legitimate code it is likely to evade many web filters. Due to its prevalence, any large organisation in the finance or legal sector is likely to have Gootkit downloads. We have observed it bypassing traditional anti-virus and preventative controls alone are unlikely to prevent infection.
With each infected host connecting to multiple command and control servers at a rate of only one every 20 seconds this may keep the number of connections below a threshold which would be detected through network analysis alone. Organisations should assess their susceptibility to the TTPs discussed above.