Exploring the Gootkit loader infection chain

This post was authored by our Director of Technology, Brad Freeman.

SenseOn’s in-depth analysis of the Gootkit malware family breaks down the Gootkit malware attack chain. With SenseOn’s advanced telemetry, our cybersecurity analyst team was able to break down the latest Gootkit attack methods. 

SenseOn has a wide range of threat intelligence and security analytics to detect malware infections, such as Gootkit. This article is a technical summary of the Gootkit malware infection chain designed to help security teams understand the risk of Gootkit malware.

About Gootkit

Gootkit is a family of Node.JS-based malware first described in 2014. Initially described as a “banking trojan,” Gootkit has evolved into a highly evasive info stealer and remote access trojan (RAT). 

An interesting feature of Gootkit is its distribution method. Threat actors have been observed spreading Gootkit through advanced search engine optimization (SEO) poisoning. 

To trick users into downloading Gootkit, threat actors hijack legitimate websites and replace real search engine results with compromised web pages. 

Gootkit threat actors create web pages and blog posts designed to appear on Google’s search engine results page when users enter specific queries they want to find information on. 

These web pages answer specific search questions, i.e., “financial services in my city.” They then direct users to download compromised files related to their query, i.e., “the ultimate guide to financial services in my local city.pdf”.

Web Pages poisoned with Gootkit tend to target victims within specific geographical areas and serve malicious content to users depending on where their IP address is located. 

Once downloaded, Gootkit allows threat actors to record a user’s keystrokes (and, as a result, their passwords and login details) as well as a massive amount of technical information about their device and network configurations. 

Recently, Gootkit has also been observed within ransomware attack chains. 

Wider reporting on Gootkit indicates that after an initial intrusion, Gootkit can deploy additional final payloads such as REvil (Sodinokibi) ransomware as well as malicious powershell scripts and fileless malware such as Cobalt Strike. 

This wide range of potential malicious use cases was observed during a recent wave of cyber attacks on the Australian healthcare industry. 

Initial Access

Gootkit spreads through SEO poisoning, this is where a hacker manipulates search engine results to promote malicious content with search terms selected from their target. In a recent campaign, victims are lured to download a .zip archive which contains a hostile JavaScript file, which acts as the loader. The files are hosted on legitimate but compromised websites, a method which is likely used to evade many forms of content filtering.

A wide range of lures (which act as loaders) have been analysed.  In every case, the keyword ‘agreement’ was used alongside terms common in the legal and financial sectors. This may indicate an element of targeting or an attempt to make the lures more attractive to higher-value targets. All samples contained a random ascii string of between 2 and 5 characters at the end of the filename to reduce the effectiveness of signature based blocking.

Filenames observed in the recent campaign are shown below:

• What_is_a_free_trade_agreement_for (<random string>).zip
• Supplemental_agreement_pa_workers_compensation (<random string>).zip
• Usmca_trade_agreement_summary (<random string>).zip
• What_is_an_api_license_agreement (<random string>).zip
• Subject_verb_agreement_worksheets_with_answers_grade_5 (<random string>).zip
• Coal_offtake_agreement_sample (<random string>).zip
• Online_rent_agreement_service_pune (<random string>).zip
• Shared_facility_use_agreement (<random string>).zip
• Sample_family_mediation_agreement (<random string>).zip
• Microsoft_ea_agreement_levels (<random string>).zip
• Which_sentence_has_proper_subject-verb_agreement (<random string>).zip
• How_to_cite_a_collective_bargaining_agreement_in_apa (<random string>).zip
• Safety_data_exchange_agreement_template (<random string>).zip
• What_is_the_use_of_subject_verb_agreement_in_spoken_language (<random string>).zip
• Single_family_purchase_and_sales_agreement_rhode_island_association_of (<random string>).zip

Analysing submitted samples on VirusTotal indicates that many instances of Gootkit loaders have a low detection rate when analysed by traditional anti virus systems.

Execution

Upon extracting the recently downloaded zip archive, the victim is presented with a JavaScript file with the same filename lure as its parent zip. If at this stage the user runs the .js file on their endpoint, the attacker will gain access to the environment via User Execution.

The downloaded zip archive is approximately 20KB and expands to 50KB when unpacked. To hamper analysis efforts, roughly 50% of the file contains legitimate code which isn’t part of the loader and is likely an attempt to divert analysis efforts. The legitimate code SenseOn observed is from a version of the open source D3 JavaScript library released over 10 years ago (version 2.7.5), with many of the function and variable name replaced to obfuscate the malicious JavaScript contained within the file.

Persistence

Gootkit has a very effective persistence mechanism. 

After execution, Gootkit achieves persistence by randomly selecting a single URL from a list of up to 50 remote locations, and downloads another JavaScript file. Gootkit creates a start-up item to achieve persistence called DEVICE~1.JS.

Additionally, a new scheduled task is added to the system using a randomly generated but legitimate-sounding name such as Trading System Development. The JavaScript file called by the scheduled task was stored in C:\Users\<username>\AppData\Roaming\<vendor> wscript DEVICE~1.JS, where various software provider names were chosen to appear legitimate, such as Microsoft, WinRAR, and Adobe.

Command & Control

Gootkit then launches PowerShell.exe and changes the case of the executable (as Windows is case insensitive) so the running process appears as pOWeRshelL.exe – this is a basic method to evade poor signature-based detection methods.

The DEVICE~1.JS script injects itself into an svchost.exe process and connects to a new list of up to 50 command and control servers. External connections are then sourced directly from pOWeRshelL.exe and svchost.exe.

All command and control servers extracted from the sample called back to xmlrpc.php scripts. This is a common file found in WordPress installations. Samples in other campaigns call back to different URLs. The list of servers is contained within an array within the JavaScript file.

Sent with the connection to the Command and Control server is a unique identifier for each device. Other variables are sent as a Base64 encoded cookie including:

• Environmental variables
• Operating System Information
• Unique process names
• Processes and their associated window caption
• Shell application path
• Drives with a certain amount of free space

The variables are commented inline on the below extract of the deobfuscated script, as observed by the SenseOn analyst team.

GootKit command and control traffic is sent over HTTP & TLS. The HTTP user agent is modified to look like a Windows OS running a recent version of the Google Chrome browser (version 107). A connection to the command and control servers is made once every 20 seconds.

SenseOn’s unified telemetry can observe the traffic from the source process being sent to the command and control servers.

Conclusion

Our analysis of recent Gootkit activity indicates the possibility of targeting the financial and legal sectors. By spreading its lures on compromised websites and its heavy use of obfuscation by weaving malicious code alongside legitimate code it is likely to evade many web filters. Due to its prevalence, any large organisation in the finance or legal sector is likely to have Gootkit downloads.  We have observed it bypassing traditional anti-virus and preventative controls alone are unlikely to prevent infection.

With each infected host connecting to multiple command and control servers at a rate of only one every 20 seconds this may keep the number of connections below a threshold which would be detected through network analysis alone. Organisations should assess their susceptibility to the TTPs discussed above.

Indicators of Compromise (IoCs)

hxxp[:]//fx-arabia[.]com/xmlrpc.php

hxxps[:]//yespornplease[.]tv/xmlrpc.php

hxxp[:]//bip[.]podkowalesna[.]pl/xmlrpc.php

hxxp[:]//nmm[.]pl/xmlrpc.php

hxxp[:]//mgplastcutlery[.]com/xmlrpc.php

hxxps[:]//ruscred[.]site/xmlrpc.php

hxxps[:]//mgplastcutlery[.]com/xmlrpc.php

hxxp[:]//educabla[.]com/xmlrpc.php

hxxps[:]//educabla[.]com/xmlrpc.php

hxxp[:]//clearchoiceairtreatment[.]com/xmlrpc.ph

hxxp[:]//blog[.]ddlab[.]net/xmlrpc.php

hxxps[:]//sayhueque[.]com/xmlrpc.php

hxxps[:]//nmm[.]pl/xmlrpc.php

hxxps[:]//fx-arabia[.]com/xmlrpc.php

hxxps[:]//emitrablog[.]com/xmlrpc.php

hxxps[:]//bankr[.]in/xmlrpc.php

hxxp[:]//phizyx[.]com/xmlrpc.php

hxxp[:]//naijafinix[.]com/xmlrpc.php

hxxp[:]//lianfidarkia[.]ir/xmlrpc.php

hxxp[:]//drinksoma[.]co[.]za/xmlrpc.php

hxxp[:]//measureschool[.]com/xmlrpc.php

hxxp[:]//blammoplus[.]com/xmlrpc.php

hxxps[:]//estrucadbim[.]com/xmlrpc.php

hxxps[:]//cloturesolival[.]com/xmlrpc.php

hxxps[:]//mustpanter[.]ee/xmlrpc.php

hxxps[:]//schafwolle-wendelstein[.]de/xmlrpc.php

hxxps[:]//bluenoteatsea[.]com/xmlrpc.php

hxxp[:]//allpress[.]com[.]ar/xmlrpc.php

hxxps[:]//deepstatetribunal[.]com/xmlrpc.php

hxxp[:]//www[.]ultramobile[.]com/xmlrpc.php

hxxp[:]//www[.]clarencehouse[.]com[.]au/xmlrpc.php

hxxp[:]//www[.]gettrymarcus[.]com/xmlrpc.php

hxxp[:]//coursetool[.]org/wordpress/xmlrpc.php

hxxps[:]//mepyd[.]gob[.]do/xmlrpc.php

hxxp[:]//apollo111[.]ro/xmlrpc.php

hxxp[:]//uncos[.]fr/xmlrpc.php

hxxp[:]//cowot[.]testsaitov[.]com/xmlrpc.php

hxxp[:]//biologyhacker[.]com/xmlrpc.php

hxxp[:]//anale[.]steconomiceuoradea[.]ro/xmlrpc.php

hxxp[:]//daxu[.]net/xmlrpc.php

hxxps[:]//varshithainterio[.]com/xmlrpc.php

hxxps[:]//demonslayer-mangaonline[.]com/xmlrpc.php

hxxps[:]//metropolitan[.]realestate/xmlrpc.php

hxxps[:]//biserica2[.]ro/xmlrpc.php

hxxp[:]//sayhueque[.]com/xmlrpc.php

hxxps[:]//metropolitan[.]realestate/xmlrpc.php

hxxps[:]//blog[.]sientetusfilins[.]com/xmlrpc.php

hxxps[:]//autori[.]blendmagazine[.]it/xmlrpc.php

hxxp[:]//vpchandler[.]com/xmlrpc.php

hxxps[:]//naserabadi[.]com/xmlrpc.php

hxxps[:]//zyto[.]com/xmlrpc.php

hxxp[:]//0nlinenews[.]com/xmlrpc.php

hxxps[:]//www[.]scomb[.]com/xmlrpc.php

hxxp[:]//dc3common[.]sakura[.]ne[.]jp/wp/xmlrpc.php

hxxps[:]//www[.]wellandgood[.]com/xmlrpc.php

hxxp[:]//blog[.]cheny[.]org/xmlrpc.php

hxxp[:]//envotech[.]net/xmlrpc.php

hxxp[:]//www[.]apteka[.]ua/article/82849

hxxp[:]//crackgpsc[.]com/recruitment/xmlrpc.php

hxxp[:]//plug-torrent[.]com/xmlrpc.php

hxxp[:]//www[.]cashanalytics[.]com/xmlrpc.php

hxxp[:]//ciorsdan[.]com/wp/xmlrpc.php

hxxps[:]//pomelo[.]com[.]pl/xmlrpc.php

hxxps[:]//pornimgur[.]com/xmlrpc.php

hxxp[:]//cpbrandindia[.]com/xmlrpc.php

hxxps[:]//marketpress[.]de/xmlrpc.php

hxxps[:]//rewardsadvisor[.]com/xmlrpc.php

hxxps[:]//edufolios[.]org/xmlrpc.php

hxxps[:]//gamingbeasts[.]com/xmlrpc.php

hxxps[:]//seomodern[.]ru/xmlrpc.php